Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1578300
MD5:69a1ca360930e2d7e7e11fe55cdd5120
SHA1:04f37a7b9c2033e529074f4ffd4883e00746cdcb
SHA256:da82405461ea618b47cb324573fcf7c778ca56ad34ada7529b520f0ab51c3a5d
Tags:aterabrigadabombeirovistoria2025msirmmuser-johnk3r
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 2716 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 3712 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2352 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 66C0EE8C29E52882C8A385FD1BF92EE2 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 5420 cmdline: rundll32.exe "C:\Windows\Installer\MSI2AF7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5188468 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3408 cmdline: rundll32.exe "C:\Windows\Installer\MSI2E63.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5189453 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3568 cmdline: rundll32.exe "C:\Windows\Installer\MSI499D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5196218 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3304 cmdline: rundll32.exe "C:\Windows\Installer\MSI68F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5204234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 6416 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 00FD17B3AC21B0F46E73B19CA8417F19 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 2684 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7128 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 3364 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 6484 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="administrativo@viacolor.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OagB2IAJ" /AgentId="b4e82e32-b266-4530-919e-fe1de1f98e09" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 3124 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 42263619842A193E6FDC049D908E5C9F E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 3004 cmdline: rundll32.exe "C:\Windows\Installer\MSI7561.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5273656 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 5064 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 5680 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 4164 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4580f161-348f-4660-82a1-d0c91a55c7f5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 1276 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "1c62d242-ef11-4dd1-b25a-a7573ec8f5a2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6360 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "2758ee41-7b77-4f67-9854-7a385a909e8f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OagB2IAJ MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 180 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4009408c-31a1-41c0-ab9d-adb0280bc8eb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OagB2IAJ MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 368 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 1396 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 4612 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "c07293d4-38c6-44aa-9d75-395d697314bb" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OagB2IAJ MD5: 67FEF41237025021CD4F792E8C24E95A)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 2428 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 2568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7160 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 3396 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 5316 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 1772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 1400 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "a8eb19e9-c148-4266-8b8e-3a21f8c15832" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OagB2IAJ MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 3472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5268 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 2452 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageUpgradeAgent.exe (PID: 6756 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4a0a2bf5-84d2-4b40-b65b-4c5b7ee9dcbb" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OagB2IAJ MD5: E9794F785780945D2DDE78520B9BB59F)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 6968 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 6832 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "3f27abf0-2233-41cd-bb48-f7a92ebeb7f1" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OagB2IAJ MD5: DB1DB66EBD9B15B7DCD55374EA56EE5E)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 5808 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "13d7cb11-12ed-4ac5-b3b7-92f0fb618600" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OagB2IAJ MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageOsUpdates.exe (PID: 3348 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "61a9538a-ac35-49dd-a2da-8f1d39fe0cc3" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OagB2IAJ MD5: CDE6BA86139AE458ABC24DAD31A66465)
      • conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 1224 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "5f5d8b63-61a4-4f01-9824-4c10890159e8" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OagB2IAJ MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 6044 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 5784 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 4512 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: E9794F785780945D2DDE78520B9BB59F)
    • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/ConDrvJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DF1B45AEA15F5573E8.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 70 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000028.00000002.2738412795.0000022F89F8F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000017.00000002.2441669794.000001E48077D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000017.00000002.2442725300.000001E480E13000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000031.00000002.2837394106.0000019880229000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 383 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      51.0.AgentPackageTicketing.exe.28b618b0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        51.2.AgentPackageTicketing.exe.28b61c40000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          51.2.AgentPackageTicketing.exe.28b61c40000.1.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            38.0.AgentPackageMonitoring.exe.1c16a980000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              51.2.AgentPackageTicketing.exe.28b61d40000.2.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 11 entries

                                Sigma Signatures

                                Sigma detected: Remote Thread Creation By Uncommon Source Image
                                Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\msiexec.exe, SourceProcessId: 6968, StartAddress: B7BEA480, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 6968
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 368, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 1396, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 00FD17B3AC21B0F46E73B19CA8417F19 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6416, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 2684, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 00FD17B3AC21B0F46E73B19CA8417F19 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6416, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 2684, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 5784, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 4f2997.rbf (copy)ReversingLabs: Detection: 26%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                                Multi AV Scanner detection for submitted file
                                Source: setup.msiReversingLabs: Detection: 23%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.4% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F604E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,38_2_00007FF89F604E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F604DE0 CryptReleaseContext,38_2_00007FF89F604DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F604BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,38_2_00007FF89F604BC0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000026.00000002.2637599786.000001C16B302000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.2423867948.0000023D01C22000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3337876001.0000028B61D42000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: t.pdb source: AteraAgent.exe, 00000019.00000002.3194308228.0000025C689A1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000026.00000002.2639409549.000001C16BD32000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2636886872.000001C16AD92000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000003C.00000002.2987420908.000001ECAAA02000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb_R source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000003C.00000002.3004222516.000001ECC3172000.00000002.00000001.01000000.00000034.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: dows\dll\mscorlib.pdbOID source: AgentPackageOsUpdates.exe, 00000037.00000002.3104716129.000001EE6AE28000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000037.00000002.3079429699.000001EE6A002000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000037.00000002.3094883197.000001EE6AA42000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003C.00000000.2920241940.000001ECA9FD2000.00000002.00000001.01000000.0000002D.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2792623804.000001ED7E862000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2792623804.000001ED7E862000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640649691.000001C16BE82000.00000002.00000001.01000000.00000024.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbP} source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb#J source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2639212206.000001C16BCF2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbp source: AgentPackageOsUpdates.exe, 00000037.00000002.3104716129.000001EE6AE28000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2637599786.000001C16B302000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.2384228786.0000023D017B2000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2425871969.000001D3E13EA000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2845518281.00000198992C0000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2425871969.000001D3E13EA000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640649691.000001C16BE82000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2845518281.00000198992C0000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3206017787.000001FA6C6A2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000033.00000000.2855771996.0000028B618B2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3206017787.000001FA6C6A2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000037.00000000.2898979422.000001EE697D2000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000003C.00000002.3004222516.000001ECC3172000.00000002.00000001.01000000.00000034.sdmp
                                Source: Binary string: mscorlib.pdb0 source: AgentPackageOsUpdates.exe, 00000037.00000002.3086239610.000001EE6A9D3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000037.00000002.3094883197.000001EE6AA42000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000026.00000002.2636886872.000001C16AD92000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.2423867948.0000023D01C22000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBx source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D090000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3086239610.000001EE6A940000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2815256416.00007FF89F73C000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3281991179.00007FF89F86C000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2221876280.0000011D7B442000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000037.00000002.3079429699.000001EE6A002000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2221876280.0000011D7B442000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbW source: AgentPackageOsUpdates.exe, 00000037.00000002.3104716129.000001EE6AE05000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2639409549.000001C16BD32000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000003C.00000002.2987420908.000001ECAAA02000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip.pdbhI source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000033.00000000.2855771996.0000028B618B2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611873h13_2_00007FF848610C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611A44h13_2_00007FF848610C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611FFFh13_2_00007FF848610C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84861227Bh13_2_00007FF848610C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611FFFh13_2_00007FF848611EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611FFFh13_2_00007FF848611E88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611FFFh13_2_00007FF848611E7E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611873h13_2_00007FF84861184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848611A44h13_2_00007FF84861184E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848624ECBh14_2_00007FF848624E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84862227Bh14_2_00007FF84862225D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF848624ECBh25_2_00007FF848624E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF84862227Bh25_2_00007FF84862225D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF8488426E0h25_2_00007FF84884249D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax25_2_00007FF84883ACC3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF8488377F6h25_2_00007FF848836DBE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax25_2_00007FF84883ADB9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax25_2_00007FF84883AD21

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.28b61c40000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.23d017b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.9/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/27.11/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: AteraAgent.exe, 0000000E.00000002.2794517516.000001ED7E974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                                Source: AteraAgent.exe, 0000000E.00000002.2794517516.000001ED7E974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
                                Source: rundll32.exe, 00000005.00000002.2143711735.0000000004735000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004A05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D023B6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8D66000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1E8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C100584000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8AE00000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE75D4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E48C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E36F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003C.00000002.2988773953.000001ECAAB82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6246F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.nuget.org
                                Source: rundll32.exe, 00000005.00000002.2143711735.0000000004735000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004A05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D023B6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8D66000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1E8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C100584000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8AE00000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE75D4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E48C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E36F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003C.00000002.2988773953.000001ECAAB82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00136000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3388917607.00000290FDEF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.
                                Source: AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7E036000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DF60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2738724708.000001ED64FF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E65A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68BF9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3011380999.0000025C4F916000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED660AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F2B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B4D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C503C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2222257977.0000011D7B67C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2788920237.000001ED7E5A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50379000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68C67000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50893000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA0015C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00158000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DF60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E460000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2426958772.0000023D1A990000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2426872557.000001D3E1483000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2426872557.000001D3E1435000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3194308228.0000025C688C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7E036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtT
                                Source: AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtq
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3222652432.0000020CA7A54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DF60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2738724708.000001ED64FF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E65A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68BF9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3011380999.0000025C4F916000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000D.00000002.2222257977.0000011D7B66E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2222257977.0000011D7B67C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED660AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2788920237.000001ED7E5A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F2B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B4D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50379000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlF#
                                Source: AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                                Source: AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlo
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA0015C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00158000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl&l3l
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D090000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00158000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3542552220.0000028B7AA76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3222652432.0000020CA7A60000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3104716129.000001EE6ADD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003C.00000002.3005489047.000001ECC3310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlw
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
                                Source: AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digw
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED660AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F2B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B4D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C503C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2222257977.0000011D7B67C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2788920237.000001ED7E5A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50379000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68C67000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50893000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl:5
                                Source: AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlK#
                                Source: AteraAgent.exe, 0000000D.00000002.2222257977.0000011D7B66E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crle
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlgb$l
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B3A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/l
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6246F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cs2.wpc.gammacdn.net
                                Source: AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab;k
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E594C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AgentPackageAgentInformation.exe, 00000013.00000000.2384228786.0000023D017B2000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E594C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE001E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gig-ai-prod-weur-0-app-v4-tag.westeurope.cloudapp.azure.com
                                Source: rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E517000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2788920237.000001ED7E60C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2800325891.000001ED7EA0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                                Source: AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B3D6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E476000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2738724708.000001ED65090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B3D6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/lRL_=
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2222257977.0000011D7B67C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED660AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2788920237.000001ED7E5A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F2B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B4D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50379000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DF60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E460000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2426958772.0000023D1A990000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2426872557.000001D3E1483000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2426872557.000001D3E1435000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3194308228.0000025C688C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DF60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2738724708.000001ED64FF6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E65A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68BF9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3011380999.0000025C4F916000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA0015C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00158000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7E036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000000D.00000002.2221330228.0000011D7B3BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B3A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl)
                                Source: AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3011380999.0000025C4F9AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B3A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3205466110.0000025C68C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crly
                                Source: AteraAgent.exe, 0000000E.00000002.2800325891.000001ED7EA0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comk
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00136000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E654000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                                Source: AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BF31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE74A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62101000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE001B7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003C.00000002.2988773953.000001ECAAA80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E654000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE001E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://westeurope-5.in.applicationinsights.azure.com
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2637314347.000001C16B2B2000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E654000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
                                Source: AteraAgent.exe, 0000000E.00000002.2787923096.000001ED7E59F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED660AE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F2B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B4D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C503C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221174367.0000011D7B340000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2222257977.0000011D7B67C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2788920237.000001ED7E5A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2786251451.000001ED7E554000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50379000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                                Source: AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                                Source: AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                                Source: AteraAgent.exe, 0000000E.00000002.2800325891.000001ED7EA0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: rundll32.exe, 00000012.00000002.2282714094.00000000073E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                                Source: AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.Pj
                                Source: rundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDf
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BF31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BFC5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh0w
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Productio
                                Source: AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BFC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED6592B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages.p
                                Source: AgentPackageInternalPoller.exe, 0000003C.00000002.2988773953.000001ECAAA80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/b4e82e32-b266-4530-919e-fe1de1f98
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BF31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BFC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCo
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE74A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/b4e82e32-b266-4530-919e-fe1de1f98e09
                                Source: rundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000005.00000002.2143711735.0000000004756000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgent
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E407000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/monitoring/v1/MonitoringPackage/AddAgentMetrics
                                Source: AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com0
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuHX
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.2
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/X
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://dc.services.visualstudio.com/f
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/pc
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com8
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5932000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5937000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5911000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exe
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3094883197.000001EE6AA42000.00000002.00000001.01000000.0000003A.sdmpString found in binary or memory: https://github.com/App-vNext/Polly.git
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2425871969.000001D3E13E8000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640649691.000001C16BE82000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2845518281.00000198992C0000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0019E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AteraAgent.exe, 0000000E.00000002.2792623804.000001ED7E862000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 0000003C.00000002.3004222516.000001ECC3172000.00000002.00000001.01000000.00000034.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://monitor.azure.com//.default
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E590C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000023.00000000.2496719341.00000290E4D32000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640587769.000001C16BE78000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00116000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00116000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://profiler.monitor.azure.com/l
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/p
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/pc
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHb
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50813000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAge
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E31000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.3/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50183000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E31000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/30.2/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.6/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesne
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availa
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E31000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Wat
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip?xH2p3q
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?xH2p3qgWnU
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.3/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?xH2p3q
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?xH2p
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50183000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?xH2p3
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E31000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/30.2/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.6/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip?xH2p3qgWn
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zip?xH
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip?x
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E31000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50183000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Mac/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Windows/
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 00000023.00000000.2496719341.00000290E4D32000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray/
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C9A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C9A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50105000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50813000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=125c57b9-fca9-42c8-8584-9e274fcb0567
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1bc39293-f3a6-4ab5-ba9d-20b98149cda6
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6b91f202-bf4e-4943-bc58-0098ce33a57f
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6fed04d9-6356-46f3-b084-2df395a69c54
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=768e814b-fa2f-4a7c-89f2-76fe05850404
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9a281983-d9be-4740-b83c-fad358c3cacc
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e0ed7a37-ef21-4e0b-a936-8899b85271ef
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f4491d47-6565-4ddc-be08-4b85a0aaf9f6
                                Source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/b4e82e32
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscrib
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65F20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50183000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/b4e82e32-b266-4530-919e
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.comZ
                                Source: AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://rt.services.visualstudio.com/l
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/pc
                                Source: AgentPackageTicketing.exe, 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/&
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/p
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639409549.000001C16BD32000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639767221.000001C16BD94000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639409549.000001C16BD32000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.co
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE001B7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000037.00000000.2898979422.000001EE697D2000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/pc
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/pc
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640587769.000001C16BE78000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2425871969.000001D3E13EA000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640649691.000001C16BE82000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2845518281.00000198992C0000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2654801898.00007FF89F794000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f2990.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AF7.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E63.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI499D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BC1.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BC2.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C40.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D4B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f2992.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f2992.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68F2.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f2993.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7561.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7D32.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8988.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI94D3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9551.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI968B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96F9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE1C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE2D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAECA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB042.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f299f.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4f299f.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB6DA.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI2AF7.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_045B00405_3_045B0040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_045B71D05_3_045B71D0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_051859A86_3_051859A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_051850B86_3_051850B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_05184D686_3_05184D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF84861C92213_2_00007FF84861C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF848610C1D13_2_00007FF848610C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FF84861BB7613_2_00007FF84861BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848620D4214_2_00007FF848620D42
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84863CEE014_2_00007FF84863CEE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848647F5814_2_00007FF848647F58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84862CFB814_2_00007FF84862CFB8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848629AF214_2_00007FF848629AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848631CF014_2_00007FF848631CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF84883DEDA14_2_00007FF84883DEDA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848840E3714_2_00007FF848840E37
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06E8004018_3_06E80040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84861195319_2_00007FF848611953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84861795619_2_00007FF848617956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84862211819_2_00007FF848622118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8486211BD19_2_00007FF8486211BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84863057D19_2_00007FF84863057D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84861870219_2_00007FF848618702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8486211D319_2_00007FF8486211D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8486112FB19_2_00007FF8486112FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF848620E3C19_2_00007FF848620E3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF848620ED819_2_00007FF848620ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8486116FA19_2_00007FF8486116FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF84861BF8019_2_00007FF84861BF80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF84863195320_2_00007FF848631953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF84863795620_2_00007FF848637956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF84864211820_2_00007FF848642118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF8486411BD20_2_00007FF8486411BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF84865057D20_2_00007FF84865057D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF84863870220_2_00007FF848638702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF8486411D320_2_00007FF8486411D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF8486312FB20_2_00007FF8486312FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF848640DBA20_2_00007FF848640DBA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF848640E3C20_2_00007FF848640E3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF848640ED820_2_00007FF848640ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF8486316FA20_2_00007FF8486316FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF8485F195323_2_00007FF8485F1953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF8485F16FA23_2_00007FF8485F16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF8485F12FB23_2_00007FF8485F12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84863D1E025_2_00007FF84863D1E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84863CAB825_2_00007FF84863CAB8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84862D3E825_2_00007FF84862D3E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84863D39025_2_00007FF84863D390
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84863CD7025_2_00007FF84863CD70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848620D4225_2_00007FF848620D42
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84862EF6725_2_00007FF84862EF67
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84862EF1925_2_00007FF84862EF19
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84862E9E825_2_00007FF84862E9E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF8486393F625_2_00007FF8486393F6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848631D1025_2_00007FF848631D10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848631D7825_2_00007FF848631D78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84883342525_2_00007FF848833425
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84883859225_2_00007FF848838592
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848836DBE25_2_00007FF848836DBE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF8488412CF25_2_00007FF8488412CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF8488412E025_2_00007FF8488412E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861897628_2_00007FF848618976
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861195328_2_00007FF848611953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848620E6928_2_00007FF848620E69
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861FF4D28_2_00007FF84861FF4D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861411828_2_00007FF848614118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861D1D528_2_00007FF84861D1D5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8486112FB28_2_00007FF8486112FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861446528_2_00007FF848614465
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8486304F028_2_00007FF8486304F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861C4D128_2_00007FF84861C4D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861972228_2_00007FF848619722
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848613BF328_2_00007FF848613BF3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84863E2DB28_2_00007FF84863E2DB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84864131D28_2_00007FF84864131D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84862D44028_2_00007FF84862D440
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84861073028_2_00007FF848610730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8486116FA28_2_00007FF8486116FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FF8486484C035_2_00007FF8486484C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FF8486366D835_2_00007FF8486366D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FF84864174D35_2_00007FF84864174D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FF84864531835_2_00007FF848645318
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F7220E038_2_00007FF89F7220E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F67B88038_2_00007FF89F67B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F72696038_2_00007FF89F726960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F7301E038_2_00007FF89F7301E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F68A0C038_2_00007FF89F68A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6940A038_2_00007FF89F6940A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F629F3038_2_00007FF89F629F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F607F3038_2_00007FF89F607F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F685F2038_2_00007FF89F685F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F637E7038_2_00007FF89F637E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F605E5038_2_00007FF89F605E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F623E1038_2_00007FF89F623E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F64FEF038_2_00007FF89F64FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F68FED038_2_00007FF89F68FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F7EC038_2_00007FF89F5F7EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F673EB038_2_00007FF89F673EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F697EA038_2_00007FF89F697EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6A5EA038_2_00007FF89F6A5EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6C7D2038_2_00007FF89F6C7D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F639CF038_2_00007FF89F639CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6DBCD038_2_00007FF89F6DBCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F733C2038_2_00007FF89F733C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6CDCC038_2_00007FF89F6CDCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F657B3038_2_00007FF89F657B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F61BBE038_2_00007FF89F61BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F639BA038_2_00007FF89F639BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6DDB8038_2_00007FF89F6DDB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6A7A6038_2_00007FF89F6A7A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F629A6038_2_00007FF89F629A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F693AF038_2_00007FF89F693AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F625AD038_2_00007FF89F625AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F61D91038_2_00007FF89F61D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F65B9F038_2_00007FF89F65B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F60D83038_2_00007FF89F60D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6518DA38_2_00007FF89F6518DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F74184038_2_00007FF89F741840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F63D77038_2_00007FF89F63D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F73F79038_2_00007FF89F73F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F69772038_2_00007FF89F697720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F64F78038_2_00007FF89F64F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F60564038_2_00007FF89F605640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F65B64738_2_00007FF89F65B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F63F63038_2_00007FF89F63F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FD63438_2_00007FF89F5FD634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6636E038_2_00007FF89F6636E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6E56D038_2_00007FF89F6E56D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F69169038_2_00007FF89F691690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F955C38_2_00007FF89F5F955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F347438_2_00007FF89F5F3474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F74B038_2_00007FF89F5F74B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F68B37038_2_00007FF89F68B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F68D35038_2_00007FF89F68D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FF34038_2_00007FF89F5FF340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6CF3E038_2_00007FF89F6CF3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6193D038_2_00007FF89F6193D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F66F22038_2_00007FF89F66F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F70320038_2_00007FF89F703200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FD28438_2_00007FF89F5FD284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F68917038_2_00007FF89F689170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F65F1B038_2_00007FF89F65F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F11B038_2_00007FF89F5F11B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F63902038_2_00007FF89F639020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F7250F038_2_00007FF89F7250F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F68EFD038_2_00007FF89F68EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F63AFB038_2_00007FF89F63AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F602F8C38_2_00007FF89F602F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F61CE7038_2_00007FF89F61CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F650E3038_2_00007FF89F650E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FCEA838_2_00007FF89F5FCEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6B8D2038_2_00007FF89F6B8D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F676D2038_2_00007FF89F676D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F664D0038_2_00007FF89F664D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F740D3038_2_00007FF89F740D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F4DB438_2_00007FF89F5F4DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F72CD6038_2_00007FF89F72CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F724C8038_2_00007FF89F724C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F69CC0038_2_00007FF89F69CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F606CC038_2_00007FF89F606CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F63ACD038_2_00007FF89F63ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F66CB5038_2_00007FF89F66CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6DAB0038_2_00007FF89F6DAB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F648B9038_2_00007FF89F648B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6BAA7038_2_00007FF89F6BAA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F638A6038_2_00007FF89F638A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F8A3C38_2_00007FF89F5F8A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F616A8038_2_00007FF89F616A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6E691038_2_00007FF89F6E6910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F64E99038_2_00007FF89F64E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6B686038_2_00007FF89F6B6860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F60886038_2_00007FF89F608860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FE80C38_2_00007FF89F5FE80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F28C038_2_00007FF89F5F28C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6488A038_2_00007FF89F6488A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F60273838_2_00007FF89F602738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F60E72038_2_00007FF89F60E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F68A7E038_2_00007FF89F68A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F72C68038_2_00007FF89F72C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F67060038_2_00007FF89F670600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F67455038_2_00007FF89F674550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F72E5B038_2_00007FF89F72E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FA52438_2_00007FF89F5FA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F7105D038_2_00007FF89F7105D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F64051038_2_00007FF89F640510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6AA5D038_2_00007FF89F6AA5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F85D438_2_00007FF89F5F85D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6AE59038_2_00007FF89F6AE590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6D659038_2_00007FF89F6D6590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6044DC38_2_00007FF89F6044DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6564A038_2_00007FF89F6564A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F61033038_2_00007FF89F610330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6B831038_2_00007FF89F6B8310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F61231038_2_00007FF89F612310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F66224038_2_00007FF89F662240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6AC22038_2_00007FF89F6AC220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F69A2F038_2_00007FF89F69A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F6922B038_2_00007FF89F6922B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F67C11038_2_00007FF89F67C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF84862BD6138_2_00007FF84862BD61
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF848842BCF38_2_00007FF848842BCF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF8488424E838_2_00007FF8488424E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF84884F08838_2_00007FF84884F088
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF848953C7138_2_00007FF848953C71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF848954DE238_2_00007FF848954DE2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF848950D1538_2_00007FF848950D15
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF848A1346A38_2_00007FF848A1346A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF89F7406B0 appears 145 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF89F741D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF89F741B70 appears 102 times
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: AteraAgent.exe.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: AteraAgent.exe0.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@103/435@0/12
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6768:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4092:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6512:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6484:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3200:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1772:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6352:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3472:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6364:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_ISABUS.HTP.Method
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5432:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: NULL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2568:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6764:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4448:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackagemonitoring_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6968:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_PCI
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4372:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7100:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2604:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFDC1661FA1C2D6BB2.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2AF7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5188468 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1005B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8AE2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2641332424.000001C16CB85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','idx_AlertedEvents_V2_LogName','AlertedEvents_V2',#1,Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2641332424.000001C16CB85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','idx_AlertedEvents_V2_LogName','AlertedEvents_V2',#1,Alerts TEXT NOT NULL);j
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E4E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO StatisticsSendTime (Timestamp) Values (@timestamp);
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E39E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E407000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E407000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1005B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8AE2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E67A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: setup.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: setup.msiReversingLabs: Detection: 23%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 66C0EE8C29E52882C8A385FD1BF92EE2
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2AF7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5188468 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2E63.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5189453 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI499D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5196218 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 00FD17B3AC21B0F46E73B19CA8417F19 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="administrativo@viacolor.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OagB2IAJ" /AgentId="b4e82e32-b266-4530-919e-fe1de1f98e09"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI68F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5204234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4580f161-348f-4660-82a1-d0c91a55c7f5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "1c62d242-ef11-4dd1-b25a-a7573ec8f5a2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "2758ee41-7b77-4f67-9854-7a385a909e8f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4009408c-31a1-41c0-ab9d-adb0280bc8eb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "c07293d4-38c6-44aa-9d75-395d697314bb" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "a8eb19e9-c148-4266-8b8e-3a21f8c15832" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4a0a2bf5-84d2-4b40-b65b-4c5b7ee9dcbb" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "3f27abf0-2233-41cd-bb48-f7a92ebeb7f1" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "13d7cb11-12ed-4ac5-b3b7-92f0fb618600" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "61a9538a-ac35-49dd-a2da-8f1d39fe0cc3" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 42263619842A193E6FDC049D908E5C9F E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7561.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5273656 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "5f5d8b63-61a4-4f01-9824-4c10890159e8" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 66C0EE8C29E52882C8A385FD1BF92EE2Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 00FD17B3AC21B0F46E73B19CA8417F19 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="administrativo@viacolor.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OagB2IAJ" /AgentId="b4e82e32-b266-4530-919e-fe1de1f98e09"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 42263619842A193E6FDC049D908E5C9F E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2AF7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5188468 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2E63.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5189453 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI499D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5196218 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI68F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5204234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4580f161-348f-4660-82a1-d0c91a55c7f5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "1c62d242-ef11-4dd1-b25a-a7573ec8f5a2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "2758ee41-7b77-4f67-9854-7a385a909e8f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4009408c-31a1-41c0-ab9d-adb0280bc8eb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "c07293d4-38c6-44aa-9d75-395d697314bb" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "a8eb19e9-c148-4266-8b8e-3a21f8c15832" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4a0a2bf5-84d2-4b40-b65b-4c5b7ee9dcbb" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "3f27abf0-2233-41cd-bb48-f7a92ebeb7f1" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "13d7cb11-12ed-4ac5-b3b7-92f0fb618600" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "61a9538a-ac35-49dd-a2da-8f1d39fe0cc3" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "5f5d8b63-61a4-4f01-9824-4c10890159e8" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7561.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5273656 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: smphost.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mispace.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sxshared.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmiclnt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wevtapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: resutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: clusapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: setup.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000026.00000002.2637599786.000001C16B302000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.2423867948.0000023D01C22000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3337876001.0000028B61D42000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: t.pdb source: AteraAgent.exe, 00000019.00000002.3194308228.0000025C689A1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000026.00000002.2639409549.000001C16BD32000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2636886872.000001C16AD92000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000003C.00000002.2987420908.000001ECAAA02000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb_R source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000003C.00000002.3004222516.000001ECC3172000.00000002.00000001.01000000.00000034.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: dows\dll\mscorlib.pdbOID source: AgentPackageOsUpdates.exe, 00000037.00000002.3104716129.000001EE6AE28000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000037.00000002.3079429699.000001EE6A002000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000037.00000002.3094883197.000001EE6AA42000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AteraAgent.exe, 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003C.00000000.2920241940.000001ECA9FD2000.00000002.00000001.01000000.0000002D.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2792623804.000001ED7E862000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2792623804.000001ED7E862000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640649691.000001C16BE82000.00000002.00000001.01000000.00000024.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbP} source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb#J source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2639212206.000001C16BCF2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbp source: AgentPackageOsUpdates.exe, 00000037.00000002.3104716129.000001EE6AE28000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2637599786.000001C16B302000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.2384228786.0000023D017B2000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2425871969.000001D3E13EA000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2845518281.00000198992C0000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2425871969.000001D3E13EA000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640649691.000001C16BE82000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2845518281.00000198992C0000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3206017787.000001FA6C6A2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000033.00000000.2855771996.0000028B618B2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3206017787.000001FA6C6A2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000037.00000000.2898979422.000001EE697D2000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000003C.00000002.3004222516.000001ECC3172000.00000002.00000001.01000000.00000034.sdmp
                                Source: Binary string: mscorlib.pdb0 source: AgentPackageOsUpdates.exe, 00000037.00000002.3086239610.000001EE6A9D3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000037.00000002.3094883197.000001EE6AA42000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000026.00000002.2636886872.000001C16AD92000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.2423867948.0000023D01C22000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBx source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D090000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3086239610.000001EE6A940000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2654362916.00007FF89F74A000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2815256416.00007FF89F73C000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3281991179.00007FF89F86C000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2221876280.0000011D7B442000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000037.00000002.3079429699.000001EE6A002000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2221876280.0000011D7B442000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3218904552.000001FA6D2D0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbW source: AgentPackageOsUpdates.exe, 00000037.00000002.3104716129.000001EE6AE05000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000026.00000002.2639409549.000001C16BD32000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000003C.00000002.2987420908.000001ECAAA02000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip.pdbhI source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AteraAgent.exe, 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000033.00000000.2855771996.0000028B618B2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: BouncyCastle.Crypto.dll.1.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F601910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,38_2_00007FF89F601910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF8486200BD pushad ; iretd 14_2_00007FF8486200C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF8487A0C79 push 2000000Ch; retf 14_2_00007FF8487A0CB9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FF848830F38 push eax; ret 14_2_00007FF848830F94
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06D9A228 pushfd ; retf 18_3_06D9A3C0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06D957B8 push es; ret 18_3_06D95840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06D94E90 push es; ret 18_3_06D94EA0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06D958D1 push es; ret 18_3_06D958E0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06D958F0 push es; ret 18_3_06D95900
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06D95850 push es; ret 18_3_06D958C0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06D95910 push es; ret 18_3_06D95920
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06E884A1 push es; ret 18_3_06E884B0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_3_06E849C0 push es; ret 18_3_06E849DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF848627969 push ebx; retf 19_2_00007FF84862796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FF8486100BD pushad ; iretd 19_2_00007FF8486100C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF848647969 push ebx; retf 20_2_00007FF84864796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FF8486300BD pushad ; iretd 20_2_00007FF8486300C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 23_2_00007FF8485F00BD pushad ; iretd 23_2_00007FF8485F00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF8486325F2 push eax; iretd 25_2_00007FF848632631
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84862A64B push eax; retf 25_2_00007FF84862A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84862A650 push eax; retf 25_2_00007FF84862A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848632DFA push FFFFFFE8h; retf 25_2_00007FF848632EF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF8486200BD pushad ; iretd 25_2_00007FF8486200C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF84883339C push eax; ret 25_2_00007FF8488333B4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848839438 push eax; ret 25_2_00007FF848839494
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848832681 push eax; ret 25_2_00007FF8488326A4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 25_2_00007FF848831E51 push eax; ret 25_2_00007FF848831E74
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848627967 push ebx; retf 28_2_00007FF84862796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF84863CAD0 push eax; retn 5F51h28_2_00007FF84863E0FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF848612D95 push eax; ret 28_2_00007FF848612E1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 28_2_00007FF8486100BD pushad ; iretd 28_2_00007FF8486100C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FF848647C18 push eax; retf 5F4Ah35_2_00007FF848647D6D

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI968B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BC2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB042.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4f299b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI499D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAECA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96F9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4f299a.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9551.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB6DA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E63.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D4B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4f299d.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4f2997.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C40.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4f2999.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7D32.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7561.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE2D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 4f299c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8988.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AF7.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68F2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E63.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2AF7.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8988.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAECA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68F2.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D4B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI968B.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI96F9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BC2.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB042.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7D32.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB6DA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7561.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI7561.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAE2D.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI499D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9551.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4C40.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2E63.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2AF7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI68F2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI499D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FA524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,38_2_00007FF89F5FA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 11D79160000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 11D7AC80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1ED65690000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1ED7D8A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 23D01A10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 23D1A220000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D3C85B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D3E0BD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E4809A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E498DA0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 25C4F8C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 25C68080000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1738BA90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 173A3F30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 290E5150000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 290FD770000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1C16AC20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1C16B3D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 22F8A450000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 22FA2880000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 22EE6E30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 22EFF4A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1FA6C1E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1FA6C720000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 19880400000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 19898A20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 28B61BE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 28B7A100000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 20C8DC40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 20CA5F80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 1EE69FB0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 1EE6A090000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1ECAA340000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1ECC2A60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599876
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596653
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596538
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596088
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595983
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597575
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596483
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596374
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596144
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595904
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595792
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595577
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595341
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595229
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595111
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599848
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599463
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599074
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598714
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598357
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598132
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597789
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597664
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597551
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597281
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596919
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596288
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595803
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594395
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594154
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593914
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593388
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593149
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592769
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592512
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592395
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592276
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592034
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591455
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590996
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590643
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590074
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 4720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 4836
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7838
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 1713
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 4453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 5422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 3275
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 6565
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3823
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3467
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1964
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 4133
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1674
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 7239
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 2408
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 7892
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1851
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 5882
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 1076
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2AF7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7561.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI968B.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4BC2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB042.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E63.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI499D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4f299b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI499D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAECA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI499D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI96F9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4f299a.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9551.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB6DA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E63.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI499D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4D4B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4f299d.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7561.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4C40.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4f2999.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7D32.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7561.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI68F2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAE2D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E63.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2AF7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI68F2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 4f299c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8988.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2AF7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E63.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI68F2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2AF7.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI68F2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7561.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6568Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3292Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4788Thread sleep count: 4720 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4788Thread sleep count: 4836 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6760Thread sleep time: -24903104499507879s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6760Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3964Thread sleep count: 52 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3964Thread sleep time: -520000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6036Thread sleep time: -5534023222112862s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2104Thread sleep time: -90000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 5384Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2828Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6276Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6020Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5532Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7108Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6508Thread sleep count: 7838 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6508Thread sleep count: 1713 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3568Thread sleep count: 38 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3568Thread sleep time: -35048813740048126s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3568Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6688Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1524Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4464Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5236Thread sleep count: 4453 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5236Thread sleep count: 5422 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -22136092888451448s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599876s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -599078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -598078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597639s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -597094s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596653s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596538s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -596088s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -595983s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -595875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -595765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2292Thread sleep time: -595656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep count: 38 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -35048813740048126s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3752Thread sleep count: 3275 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3752Thread sleep count: 6565 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -599000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598671s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598451s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -598015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597796s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597575s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -597031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596921s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596483s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596374s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596144s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -596015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595904s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595792s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595577s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595341s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595229s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -595111s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -594985s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -594874s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -594765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -594656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5392Thread sleep time: -594546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5376Thread sleep count: 3823 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5376Thread sleep count: 3467 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3608Thread sleep time: -22136092888451448s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3608Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2380Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6024Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1396Thread sleep count: 1964 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6292Thread sleep count: 4133 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6000Thread sleep time: -12912720851596678s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6000Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2748Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5000Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5832Thread sleep count: 1674 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 744Thread sleep count: 229 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1288Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6716Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 1520Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6640Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 2652Thread sleep count: 7239 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep count: 40 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -36893488147419080s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -599848s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -599625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -599463s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -599330s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -599200s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -599074s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598714s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 2652Thread sleep count: 2408 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598357s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -598132s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -597789s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -597664s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -597551s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -597422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -597281s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -597031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -596919s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -596797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -596656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -596531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -596406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -596288s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -596125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -595984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -595803s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -595438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594510s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594395s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594154s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -594031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593914s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593609s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593500s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593388s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593149s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -593020s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592900s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592769s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592512s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592395s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592276s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592156s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -592034s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591455s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -591109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590996s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590766s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590643s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590527s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -590074s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1340Thread sleep time: -589953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6024Thread sleep count: 7892 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3524Thread sleep count: 1851 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7112Thread sleep time: -23980767295822402s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7112Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 892Thread sleep count: 5882 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 5560Thread sleep time: -12912720851596678s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 3184Thread sleep count: 1076 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 3128Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 6148Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 5352Thread sleep count: 264 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 3352Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 5996Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile opened: PhysicalDrive0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599876
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597094
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596653
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596538
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596088
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595983
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597575
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596483
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596374
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596144
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595904
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595792
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595577
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595341
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595229
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595111
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599848
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599463
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599074
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598714
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598357
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598132
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597789
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597664
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597551
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597281
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596919
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596288
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595803
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594395
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594154
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593914
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593388
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593149
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592769
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592512
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592395
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592276
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592034
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591455
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590996
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590643
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590074
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: svchost.exe, 00000025.00000003.2594554518.000001FB84F23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2682711881.00000173A4860000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2911949759.0000022E8009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: AteraAgent.exe, 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2911633927.0000022E8008B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"
                                Source: AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2221446131.0000011D7B3D6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2787923096.000001ED7E587000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3210402656.000001FA6D090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2911633927.0000022E8008B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"4
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684326139.00000173A4912000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdownG
                                Source: rundll32.exe, 00000012.00000002.2279843228.0000000002E6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^.
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2911949759.0000022E8009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStoppede
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684229394.00000173A490B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStoppedg
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2668823708.000001738B8C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: svchost.exe, 00000025.00000003.2594554518.000001FB84F23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 00000013.00000000.2384228786.0000023D017B2000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000025.00000002.3324281478.000001FB84C13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C292B65879FF477A6AF604113F58rog
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: svchost.exe, 00000025.00000002.3324710523.000001FB84C68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C292B65879FF477A6AF604113F58
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2682975544.00000173A488A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2904458041.0000022E80000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2682975544.00000173A488A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: svchost.exe, 00000025.00000002.3324512246.000001FB84C52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2638183439.000001C16BC10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{F
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: svchost.exe, 00000025.00000002.3324281478.000001FB84C13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C292B65879FF477A6AF604113F580
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: svchost.exe, 00000025.00000002.3325629102.000001FB84CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@manufacturer"vmware"
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: svchost.exe, 00000025.00000002.3325629102.000001FB84CBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.2.
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2682711881.00000173A4860000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684229394.00000173A490B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2911949759.0000022E8009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2682711881.00000173A4860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStoppedz
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684229394.00000173A490B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2911949759.0000022E8009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2904458041.0000022E80000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000025.00000002.3324512246.000001FB84C52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual R
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2682711881.00000173A4860000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedj
                                Source: svchost.exe, 00000025.00000002.3325629102.000001FB84CD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @"VMware Virtual disk"
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^.
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedl
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2904458041.0000022E80000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedY
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2683275775.00000173A48B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedl
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684229394.00000173A490B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2911949759.0000022E8009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: svchost.exe, 00000025.00000002.3324901170.000001FB84CB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?XSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2685433082.00000173A4997000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<<3
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2904458041.0000022E80000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped(.Y
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM2.
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,12.
                                Source: rundll32.exe, 00000005.00000002.2143080511.0000000002BA2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2426958772.0000023D1A990000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2426872557.000001D3E1435000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3194308228.0000025C688FE000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2762473711.0000022FA3098000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2927057579.0000022E80190000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3542552220.0000028B7AA68000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3222652432.0000020CA79DB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3086239610.000001EE6A9D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.3388917607.00000290FDEF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93VMware20,1
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2668823708.000001738B8C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: svchost.exe, 00000025.00000002.3324281478.000001FB84C13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f58LFO2.0
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
                                Source: AgentPackageMonitoring.exe, 00000026.00000002.2636637117.000001C16AD62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684229394.00000173A490B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2911949759.0000022E8009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^.
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684229394.00000173A490B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2911949759.0000022E8009B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
                                Source: AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II2.
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2687521417.00000173A4A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}"6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2911633927.0000022E8008B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicheartbeat"I
                                Source: AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: svchost.exe, 00000025.00000003.2594554518.000001FB84F23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: svchost.exe, 00000025.00000002.3324901170.000001FB84CB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: svchost.exe, 00000025.00000002.3325629102.000001FB84CC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@"VMware"OM624
                                Source: AgentPackageAgentInformation.exe, 0000001C.00000002.2684229394.00000173A490B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped&
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F5E14 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,38_2_00007FF89F5F5E14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F601910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,38_2_00007FF89F601910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F601910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,38_2_00007FF89F601910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F7A84 GetProcessHeap,38_2_00007FF89F5F7A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00007FF89F5FACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="administrativo@viacolor.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OagB2IAJ" /AgentId="b4e82e32-b266-4530-919e-fe1de1f98e09"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4580f161-348f-4660-82a1-d0c91a55c7f5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "1c62d242-ef11-4dd1-b25a-a7573ec8f5a2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "2758ee41-7b77-4f67-9854-7a385a909e8f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4009408c-31a1-41c0-ab9d-adb0280bc8eb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "c07293d4-38c6-44aa-9d75-395d697314bb" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "a8eb19e9-c148-4266-8b8e-3a21f8c15832" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4a0a2bf5-84d2-4b40-b65b-4c5b7ee9dcbb" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "3f27abf0-2233-41cd-bb48-f7a92ebeb7f1" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "13d7cb11-12ed-4ac5-b3b7-92f0fb618600" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "61a9538a-ac35-49dd-a2da-8f1d39fe0cc3" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "5f5d8b63-61a4-4f01-9824-4c10890159e8" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OagB2IAJ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="administrativo@viacolor.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000oagb2iaj" /agentid="b4e82e32-b266-4530-919e-fe1de1f98e09"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4580f161-348f-4660-82a1-d0c91a55c7f5" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "1c62d242-ef11-4dd1-b25a-a7573ec8f5a2" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "2758ee41-7b77-4f67-9854-7a385a909e8f" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4009408c-31a1-41c0-ab9d-adb0280bc8eb" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "c07293d4-38c6-44aa-9d75-395d697314bb" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "a8eb19e9-c148-4266-8b8e-3a21f8c15832" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4a0a2bf5-84d2-4b40-b65b-4c5b7ee9dcbb" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "3f27abf0-2233-41cd-bb48-f7a92ebeb7f1" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "13d7cb11-12ed-4ac5-b3b7-92f0fb618600" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "61a9538a-ac35-49dd-a2da-8f1d39fe0cc3" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "5f5d8b63-61a4-4f01-9824-4c10890159e8" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000oagb2iaj
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="administrativo@viacolor.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000oagb2iaj" /agentid="b4e82e32-b266-4530-919e-fe1de1f98e09"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4580f161-348f-4660-82a1-d0c91a55c7f5" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "1c62d242-ef11-4dd1-b25a-a7573ec8f5a2" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "2758ee41-7b77-4f67-9854-7a385a909e8f" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4009408c-31a1-41c0-ab9d-adb0280bc8eb" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "c07293d4-38c6-44aa-9d75-395d697314bb" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "a8eb19e9-c148-4266-8b8e-3a21f8c15832" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4a0a2bf5-84d2-4b40-b65b-4c5b7ee9dcbb" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "3f27abf0-2233-41cd-bb48-f7a92ebeb7f1" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "13d7cb11-12ed-4ac5-b3b7-92f0fb618600" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "61a9538a-ac35-49dd-a2da-8f1d39fe0cc3" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "5f5d8b63-61a4-4f01-9824-4c10890159e8" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000oagb2iaj
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F739C cpuid 38_2_00007FF89F5F739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2AF7.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2E63.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2E63.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI499D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI68F2.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI68F2.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7561.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5FCC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,38_2_00007FF89F5FCC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F5F85D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,38_2_00007FF89F5F85D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Queries disk data (e.g. SMART data)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 51.0.AgentPackageTicketing.exe.28b618b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.28b61c40000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 38.0.AgentPackageMonitoring.exe.1c16a980000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 51.2.AgentPackageTicketing.exe.28b61d40000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 60.0.AgentPackageInternalPoller.exe.1eca9fd0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 55.0.AgentPackageOsUpdates.exe.1ee697d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.2.AgentPackageAgentInformation.exe.23d01c20000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 19.0.AgentPackageAgentInformation.exe.23d017b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 38.2.AgentPackageMonitoring.exe.1c16ad60000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 47.0.AgentPackageUpgradeAgent.exe.1fa6bdc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.0.AgentPackageSTRemote.exe.290e4d30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 55.2.AgentPackageOsUpdates.exe.1ee6a000000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.0.AteraAgent.exe.11d78e10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 25.2.AteraAgent.exe.25c50362a18.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000028.00000002.2738412795.0000022F89F8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2441669794.000001E48077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2442725300.000001E480E13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2837394106.0000019880229000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3327648384.0000028B61ACC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2223315915.00007FF8486A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3334836320.00000290E5130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3327648384.0000028B61AC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3542552220.0000028B7AA50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3327648384.0000028B61B4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670488354.000001738BA40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3194308228.0000025C68955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2422562984.000001D3C83F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2738412795.0000022F89F50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2638183439.000001C16BC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE00194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2545794268.0000021C8298B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3011380999.0000025C4F92C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2738724708.000001ED64FDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2937756946.0000022EE6C78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2786251451.000001ED7E548000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2837394106.0000019880150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2978507128.000001ECAA0CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3010693802.0000025C4F8B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3128697704.000001FA00116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2638183439.000001C16BBA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2668823708.000001738B889000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2426958772.0000023D1A990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2762473711.0000022FA3000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3070712800.000001EE699DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2422868525.0000023D01AAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3019802711.0000000692D3E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2778761610.000001ED7DF60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635542993.000001C16AC4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.3112729384.0000029F5E63A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220738659.0000011D792D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2424207379.000001D3C8C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3336972786.00000290E57EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2978507128.000001ECAA14B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE005EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2935397618.0000022E80278000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2738372378.0000022F89F40000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3194187076.000001FA6BFCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C500E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3219365412.0000020CA7960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2846722151.00000286864BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C50813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2738412795.0000022F89FD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D000B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000020.00000002.2544602998.00000259B9B40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2668823708.000001738B840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2741780844.0000022F8A881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635542993.000001C16AD25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2545933131.0000021C82B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3337876001.0000028B61D42000.00000002.00000001.01000000.00000044.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2978507128.000001ECAA0C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAA80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2668823708.000001738B8C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE0019E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3070712800.000001EE69950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2766419497.0000022FA40B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2441669794.000001E4806A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C503CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3339186998.0000028B6246F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2738412795.0000022F89F59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E67A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2782680199.000001ED7E476000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2738412795.0000022F89F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2422868525.0000023D01A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2937756946.0000022EE6C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635542993.000001C16AD2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2984787952.000001ECAA310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2545794268.0000021C829A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3326895328.00000290E4F8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2422768883.000001D3C848C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C50379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220104196.0000011D78F81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2793915331.000001ED7E950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3194187076.000001FA6BFC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65F78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2641332424.000001C16CB85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3011380999.0000025C4F936000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2641509915.000001C16CB96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2545794268.0000021C82980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE001B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E63F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2424253508.0000023D022A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAC8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2222042672.0000011D7B620000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3070712800.000001EE69992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAC94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3078123955.000001EE69C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000000.2855771996.0000028B618B2000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3128697704.000001FA0025F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2441669794.000001E4806A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.3114345807.0000029F5DB71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2684472829.00000173A4936000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.3114873045.0000029F5E63C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3336972786.00000290E5771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2422768883.000001D3C8458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED660AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2422768883.000001D3C84D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2846722151.00000286864D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2937756946.0000022EE6C4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.3053982314.0000029F5E570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635124376.000001C16AA70000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635212357.000001C16AB80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2468669682.0000021C82B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2738724708.000001ED64FD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2842765284.0000019880AA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2222257977.0000011D7B65B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000000.2898979422.000001EE697D2000.00000002.00000001.01000000.0000002B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAC92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3204012277.000001FA6C1A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2945471974.0000022EE74A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3339186998.0000028B62162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220045144.0000011D78F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D00166000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3086536008.0000020C8DA60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2422868525.0000023D01A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2978507128.000001ECAA18A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3076606408.0000020C8D8F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2846722151.00000286864B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3217746100.0000020CA7677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65F2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3011380999.0000025C4F9AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2442725300.000001E480DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3076606408.0000020C8D92D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3076606408.0000020C8D93B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2837394106.000001988018E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3336972786.00000290E5873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3338866084.0000028B61D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3282601110.00007FF89F889000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2441669794.000001E4806DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2937756946.0000022EE6C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3005489047.000001ECC33B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3128697704.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2688573647.00000173A4B04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2846926984.00000286865B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D00132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C508C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65B4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2919184631.0000022E800B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE002C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2767656575.0000022FA42EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D000BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220132555.0000011D78FF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2442725300.000001E480E23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2738724708.000001ED65056000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2782680199.000001ED7E460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220132555.0000011D78FC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2741780844.0000022F8A890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2424253508.0000023D02293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2422512608.0000023D01940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E4E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE005FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3339186998.0000028B62101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220132555.0000011D78FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2842765284.0000019880A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3009940206.0000025C4F710000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2787923096.000001ED7E587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2629623199.000001C1005B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C506F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3011380999.0000025C4F975000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAC90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2738724708.000001ED65090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2441669794.000001E480724000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65B38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAA7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3011380999.0000025C4F8F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.3112789454.0000029F5DB6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738BF31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2837394106.000001988016F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3219218842.0000020CA789D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D000B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2787923096.000001ED7E59F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2422768883.000001D3C8498000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2422768883.000001D3C846B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3217851993.0000020CA7875000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3326895328.00000290E4F41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3205466110.0000025C68BF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3076606408.0000020C8D97B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3076248038.0000020C8D800000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2740518045.0000022F8A2A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000000.2384228786.0000023D017B2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2424207379.000001D3C8C43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.3113224814.0000029F5E63B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3070712800.000001EE6995C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65B4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2641297132.000001C16C987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3326895328.00000290E4F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000000.2920241940.000001ECA9FD2000.00000002.00000001.01000000.0000002D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65C9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2423867948.0000023D01C22000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220045144.0000011D78F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE00213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3327648384.0000028B61B03000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D0008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E39E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3194187076.000001FA6C002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3323242307.000000C3306F1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3005489047.000001ECC3385000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C505E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2740847986.000001ED65290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3194187076.000001FA6C0AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2978507128.000001ECAA100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2222542212.0000011D7B6B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2682711881.00000173A4860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.3005489047.000001ECC3310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2422868525.0000023D01A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2424207379.000001D3C8BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2424253508.0000023D02267000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3322902397.0000009D490F1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000000.2496719341.00000290E4D32000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2441669794.000001E4806C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635542993.000001C16AC81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2738724708.000001ED6500C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED65C84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3542552220.0000028B7AAA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2945471974.0000022EE761C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C503C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2920253461.0000022E800BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C50893000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2654681165.00007FF89F789000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2426872557.000001D3E13F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000003.2774599402.00000286865D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2686072407.00000173A49F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3327648384.0000028B61B0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2843937085.00000158CA5E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2927057579.0000022E80183000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE00247000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3339186998.0000028B62228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.3112646076.0000029F5E67E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C504E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2735741380.00000030BFD15000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738BFC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2441669794.000001E48078B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3205466110.0000025C68C57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2738412795.0000022F89F6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2945471974.0000022EE75D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.2442590790.000001E480800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.2986269233.0000029F5E63A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2636637117.000001C16AD62000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2422768883.000001D3C8450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635542993.000001C16ACCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635542993.000001C16AC88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3326895328.00000290E4F0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3205466110.0000025C68C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E407000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3079429699.000001EE6A002000.00000002.00000001.01000000.00000037.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000003.3109705875.0000029F5E570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3219018709.0000020CA7899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2635542993.000001C16AC40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E674000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2945064993.0000022EE6FC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2220132555.0000011D78FA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3205395901.000001FA6C2A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2738597745.000001ED64F70000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAC96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3086239610.000001EE6A940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3339186998.0000028B621AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3194187076.000001FA6C04E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2782680199.000001ED7E4F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3128697704.000001FA00170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738C19D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2837394106.00000198801D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D0017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3205466110.0000025C68BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2842303493.0000019880470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738C16F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAAA61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.2742132423.000001ED6592B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2762473711.0000022FA3098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3011380999.0000025C4F8F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D00089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8E20E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3194308228.0000025C688FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3222652432.0000020CA7A6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3088969639.0000020C8DF81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2816417808.00007FF89F759000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3076606408.0000020C8D8F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3326895328.00000290E4F43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2629623199.000001C100001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3327648384.0000028B61AE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3000981418.000000B6B02F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.3017985769.0000025C506C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2837394106.0000019880158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3210402656.000001FA6D090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2670904459.000001738C22F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2217324832.0000011D00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.3204434923.0000020CA69D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.3388917607.00000290FDEF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.2424253508.0000023D02221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2988773953.000001ECAABCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2741780844.0000022F8AE2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.3128697704.000001FA00270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5420, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3408, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3568, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 6484, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 5064, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3304, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4164, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1276, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6360, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7160, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 180, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 368, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 1396, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 4612, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 2428, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 5316, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1400, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 5268, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 2452, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 6756, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 4512, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 6832, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 5808, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 3348, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6968, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3004, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 1224, type: MEMORYSTR
                                Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1B45AEA15F5573E8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI4BC1.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDC1661FA1C2D6BB2.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8529FC9B6D313511.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD278ACC22C26CDF3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFA8F097E17EA90D2.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7EFDB4EF32959954.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\4f2996.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\4f299e.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD2715D2EDAE221FB.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFEDAD2D6CCD27AEC5.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF3378F3AB83994214.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE71DF77CFF880D03.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC80D2F2967D7A4F8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIAE1C.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7CBFDA3BF520CF70.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF49E81643EC481818.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFAD3EF6C8B7EA5615.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI94D3.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6E8F4B29505839D7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF1BF0C1883F92515.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\4f2991.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF908E6BBA5FDEBAB2.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF4369381B03DE630.TMP, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 38_2_00007FF89F63B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,38_2_00007FF89F63B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		641
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		111
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS275
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials781
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem371
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt371
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1578300 Sample: setup.msi Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 153 Multi AV Scanner detection for dropped file 2->153 155 Multi AV Scanner detection for submitted file 2->155 157 Yara detected AteraAgent 2->157 159 8 other signatures 2->159 8 AteraAgent.exe 2->8         started        13 msiexec.exe 173 118 2->13         started        15 AteraAgent.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 145 108.158.75.93 AMAZON-02US United States 8->145 93 C:\...\System.Management.dll, PE32 8->93 dropped 95 C:\...95ewtonsoft.Json.dll, PE32 8->95 dropped 97 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->97 dropped 105 192 other malicious files 8->105 dropped 169 Installs Task Scheduler Managed Wrapper 8->169 19 AgentPackageUpgradeAgent.exe 8->19         started        23 AgentPackageMonitoring.exe 8->23         started        26 AgentPackageOsUpdates.exe 8->26         started        34 5 other processes 8->34 99 C:\Windows\Installer\MSIB6DA.tmp, PE32 13->99 dropped 101 C:\Windows\Installer\MSI8988.tmp, PE32 13->101 dropped 103 C:\Windows\Installer\MSI7D32.tmp, PE32 13->103 dropped 107 59 other files (50 malicious) 13->107 dropped 28 msiexec.exe 13->28         started        30 AteraAgent.exe 13->30         started        36 2 other processes 13->36 147 108.158.75.12 AMAZON-02US United States 15->147 149 13.232.67.198 AMAZON-02US United States 15->149 151 13.232.67.199 AMAZON-02US United States 15->151 109 30 other malicious files 15->109 dropped 171 Creates files in the system32 config directory 15->171 173 Reads the Security eventlog 15->173 175 Reads the System eventlog 15->175 38 7 other processes 15->38 32 conhost.exe 17->32         started        file5 signatures6 process7 dnsIp8 131 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->131 75 C:\...\System.ValueTuple.dll, PE32 19->75 dropped 77 C:\Program Files (x86)\...\Pubnub.dll, PE32 19->77 dropped 79 C:\...79ewtonsoft.Json.dll, PE32 19->79 dropped 91 4 other malicious files 19->91 dropped 51 2 other processes 19->51 81 C:\Program Files (x86)\...\log.txt, ASCII 23->81 dropped 161 Queries disk data (e.g. SMART data) 23->161 40 conhost.exe 23->40         started        133 20.50.88.227 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->133 42 conhost.exe 26->42         started        44 rundll32.exe 28->44         started        48 rundll32.exe 15 9 28->48         started        53 2 other processes 28->53 135 199.232.210.172 FASTLYUS United States 30->135 137 192.229.221.95 EDGECASTUS United States 30->137 83 C:\Windows\System32\InstallUtil.InstallLog, Unicode 30->83 dropped 85 C:\...\AteraAgent.InstallLog, Unicode 30->85 dropped 163 Creates files in the system32 config directory 30->163 165 Reads the Security eventlog 30->165 167 Reads the System eventlog 30->167 139 152.199.23.209 EDGECASTUS United States 34->139 87 C:\...\TicketingTray.exe (copy), PE32 34->87 dropped 55 6 other processes 34->55 57 3 other processes 36->57 141 52.223.39.232 AMAZONEXPANSIONGB United States 38->141 143 13.227.8.66 AMAZON-02US United States 38->143 89 C:\Windows\Temp\SplashtopStreamer.exe, PE32 38->89 dropped 59 8 other processes 38->59 file9 signatures10 process11 dnsIp12 111 C:\...\AlphaControlAgentInstallation.dll, PE32 44->111 dropped 121 3 other files (none is malicious) 44->121 dropped 177 System process connects to network (likely due to code injection or exploit) 44->177 129 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->129 113 C:\...\AlphaControlAgentInstallation.dll, PE32 48->113 dropped 123 3 other files (none is malicious) 48->123 dropped 115 C:\...\AlphaControlAgentInstallation.dll, PE32 53->115 dropped 117 C:\...\AlphaControlAgentInstallation.dll, PE32 53->117 dropped 125 6 other files (none is malicious) 53->125 dropped 61 conhost.exe 55->61         started        63 cscript.exe 55->63         started        119 C:\...\AlphaControlAgentInstallation.dll, PE32 57->119 dropped 127 3 other files (none is malicious) 57->127 dropped 65 conhost.exe 57->65         started        67 net1.exe 57->67         started        69 conhost.exe 57->69         started        71 conhost.exe 59->71         started        73 cscript.exe 59->73         started        file13 signatures14 process15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                setup.msi24%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                4f2997.rbf (copy)26%ReversingLabsWin32.PUA.Atera
                                4f2999.rbf (copy)0%ReversingLabs
                                4f299a.rbf (copy)0%ReversingLabs
                                4f299b.rbf (copy)0%ReversingLabs
                                4f299c.rbf (copy)0%ReversingLabs
                                4f299d.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.PUA.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/b4e82e32AteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    https://agent-api.atera.com/ProductioAteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmpfalse
                                      https://monitor.azure.com//.defaultAgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpfalse
                                        https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          http://schemas.datacontract.orgAteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E654000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://nlog-project.org/AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640587769.000001C16BE78000.00000002.00000001.01000000.00000023.sdmpfalse
                                                        https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000013.00000000.2384228786.0000023D017B2000.00000002.00000001.01000000.00000016.sdmpfalse
                                                              http://repository.swisssign.com/0AteraAgent.exe, 0000000E.00000002.2791085765.000001ED7E654000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIPAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.zAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        https://api.nuHXAgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000023.00000000.2496719341.00000290E4D32000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            http://wixtoolset.orgrundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000005.00000002.2143711735.0000000004756000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004A26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    http://acontrol.atera.com/AteraAgent.exe, 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9a281983-d9be-4740-b83c-fad358c3caccAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://dc.services.visualstudio.com/pcAgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://westeurope-5.in.applicationinsights.azure.coAgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://westeurope-5.in.applicationinsights.azure.com/AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BF31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE74A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.3128697704.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62101000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE001B7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003C.00000002.2988773953.000001ECAAA80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        https://westeurope-5.in.applicationinsights.azure.com/v2/trackAgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?xH2p3qgWnUAteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659A8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50183000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?xH2p3qAteraAgent.exe, 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?AteraAgent.exe, 0000000E.00000002.2794517516.000001ED7E974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    http://my.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5911000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkgAgentPackageTicketing.exe, 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.2AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://dc.services.visualstudio.com/XAgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageOsUpdates.exe, 00000037.00000000.2898979422.000001EE697D2000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exeAgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5932000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5937000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5911000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/b4e82e32-b266-4530-919e-fe1de1f98AgentPackageInternalPoller.exe, 0000003C.00000002.2988773953.000001ECAAA80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      https://dc.services.visualstudio.com/pAgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://download.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5937000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://agent-api.atera.comrundll32.exe, 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BF31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738BFC5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640587769.000001C16BE78000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                                                https://dc.services.visualstudio.com/fAgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpfalse
                                                                                                                                                  https://profiler.monitor.azure.com/AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    http://www.w3.ohAteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000E.00000002.2742132423.000001ED659B4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED6592B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        http://api.nuget.orgAgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6246F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                                                            http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000026.00000002.2639826315.000001C16BDA2000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                                                              https://ps.atera.com/aAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000026.00000002.2639409549.000001C16BD32000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                                  https://ps.ateHbAteraAgent.exe, 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://snapshot.monitor.azure.com/AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://my.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E590C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://agent-api.atera.com/Production/Agent/recurringCoAgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://cacerts.digicert.AgentPackageSTRemote.exe, 00000023.00000002.3388917607.00000290FDEF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                http://crl3.digwAteraAgent.exe, 0000000E.00000002.2782680199.000001ED7E4F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e0ed7a37-ef21-4e0b-a936-8899b85271efAteraAgent.exe, 0000000E.00000002.2742132423.000001ED659B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 00000026.00000002.2639767221.000001C16BD94000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?xH2p3AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://agent-api.atera.com/Production/Agent/GetRecurringPackages.pAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000026.00000002.2637314347.000001C16B2B2000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://dc.services.visualstudio.com/v2/trackAgentPackageOsUpdates.exe, 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://agent-api.atera.com/Production/Agent/recurringCommandResultAgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE74A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://api.nuget.orgAgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.3/AgentPackageAgentInformatiAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65CD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3017985769.0000025C5015B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exeAgentPackageSTRemote.exe, 00000023.00000000.2496719341.00000290E4D32000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelpAgentPackageTicketing.exe, 00000033.00000002.3339186998.0000028B62101000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://agent-api.PAgentPackageAgentInformation.exe, 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnetAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  http://www.w3.oAteraAgent.exe, 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitorAgentPackageOsUpdates.exe, 00000037.00000002.3099862957.000001EE6AC12000.00000002.00000001.01000000.0000003C.sdmpfalse
                                                                                                                                                                                                                      https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgentAgentPackageMonitoring.exe, 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000004.00000003.2069270840.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2084120126.00000000043D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2146162541.000000000500A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.2226546955.000000000482B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2425871969.000001D3E13E8000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000026.00000002.2640649691.000001C16BE82000.00000002.00000001.01000000.00000024.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2845518281.00000198992C0000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003B.00000003.2924823749.00000000040E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://ps.pndsn.com/v2/subscribAteraAgent.exe, 0000000E.00000002.2742132423.000001ED659B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.AvailaAteraAgent.exe, 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip?xH2p3qAteraAgent.exe, 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zipAteraAgent.exe, 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0AteraAgent.exe, 0000000E.00000002.2794517516.000001ED7E974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      https://rca.e-szigno.hu/ocsp0-AteraAgent.exe, 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        108.158.75.93
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        152.199.23.209
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        13.232.67.198
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        13.232.67.199
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        13.227.8.66
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        20.60.197.1
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        199.232.210.172
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		54113FASTLYUSfalse
                                                                                                                                                                                                                                        108.158.75.12
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        52.223.39.232
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                                                        20.50.88.227
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1578300
                                                                                                                                                                                                                                        Start date and time:2024-12-19 14:58:07 +01:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 14m 20s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:62
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:setup.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@103/435@0/12
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 15.4%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 60%
                                                                                                                                                                                                                                        • Number of executed functions: 376
                                                                                                                                                                                                                                        • Number of non-executed functions: 9
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 1276 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 4164 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6360 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 4612 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 5064 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 6484 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7160 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 3304 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 3408 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 3568 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 5420 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: setup.msi

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        08:59:07API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        08:59:12API Interceptor1647x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        08:59:35API Interceptor75x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        08:59:47API Interceptor116633x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        08:59:53API Interceptor117x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        09:00:24API Interceptor40x Sleep call for process: AgentPackageOsUpdates.exe modified
                                                                                                                                                                                                                                        09:00:25API Interceptor314x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                        09:00:29API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                                                                                                                                                                                                                        09:00:45API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                                                                                                                                                                                                                        15:00:16Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        4f2997.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        4f2998.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        4f2999.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        4f299a.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        4f299b.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        4f299c.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        4f299d.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Config.Msi\4f2991.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8807
                                                                                                                                                                                                                                        Entropy (8bit):5.654334343936192
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Oj4xz1ccbTOOeMeiV61yT7r6IHfyT7r6kAVv70HVotBVeZEmzmYpLAV77Q0pY9Xr:OED2By7py7tiB2iE
                                                                                                                                                                                                                                        MD5:416CD1CBA1767A58682968F54E8381BE
                                                                                                                                                                                                                                        SHA1:058CA9BF5CD80E290E278D1233EAE7EC45552AED
                                                                                                                                                                                                                                        SHA-256:6B81A667CA98B468F3F395B9596563727F6CCD6999C54B667A9818B42FD3282C
                                                                                                                                                                                                                                        SHA-512:929F430DBD55D2A364304FB73E84C9A0FF710CE0786C1AE796C5A5D9A579B0A157295846DDBC4601DED75C123A827DC9FADC1320CC298D6F618763DB64ED9985
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\4f2991.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@eG.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F01010-E311-4A2

                                                                                                                                                                                                                                        C:\Config.Msi\4f2996.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9473
                                                                                                                                                                                                                                        Entropy (8bit):5.560718619008217
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:tj4GDcRkbLCsgRRbLCMDp17qEVl0pKLALtyD0qagukGGhaKfmbHt1fS6kQDFrEcZ:tElRagRldVKKr6FT
                                                                                                                                                                                                                                        MD5:25E6A8D65A8E76784F492F7B0393AF6C
                                                                                                                                                                                                                                        SHA1:D0CEACD981C397907AEBBF706673BED0F5A86B4F
                                                                                                                                                                                                                                        SHA-256:FF1D9D1C607FF2DE3D0883762EBE53D9AC80278041A08E2129DA1137646E5DC6
                                                                                                                                                                                                                                        SHA-512:744799A99959018D2D16021855EB0844E41C28A475544D8B701618BCDA8C546609FE4E2EF5FF10A1B9B930BB8E23F13BA445033B180CF80BB5BE805893AFDF48
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\4f2996.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.H.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\4f2992.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8.7.2%...HelpLink%...HelpTelep

                                                                                                                                                                                                                                        C:\Config.Msi\4f299e.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8767
                                                                                                                                                                                                                                        Entropy (8bit):5.653837888789087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:dy7wo+fncHMez1y36ITy36k7s5VNpkxYpLso:dPo+fncHNy3Vy3tSNpkcP
                                                                                                                                                                                                                                        MD5:8B200543AD56158134E5C8D0D5CF38AD
                                                                                                                                                                                                                                        SHA1:DF7AB503F217D46C411E9E43B506F21192E5B4D4
                                                                                                                                                                                                                                        SHA-256:41687802681325DD48673EFC02CFDB9EADC187D69DA7B044B9D77769AC3636CF
                                                                                                                                                                                                                                        SHA-512:736DE3630967D903AA1F8F082C5938329894F7C7A1F2580F37D3BA85A066F7E1A598A9437CDF0E6E38E26F52D2764348B85C3F5B5FEE0400CA16CF495BEC6127
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\4f299e.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.H.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1132160
                                                                                                                                                                                                                                        Entropy (8bit):7.999795557377318
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFZ:65Lm++hGZ5LnZMO8f+5AZ
                                                                                                                                                                                                                                        MD5:2174937F32A6185518EE1587A29DDC93
                                                                                                                                                                                                                                        SHA1:FDD1567539BCCC11A7A24DF16958FBA90255E9A6
                                                                                                                                                                                                                                        SHA-256:EA6AF22F99A0EAB283037DD3039EB2B6BAC466FF0C8CA7B348BDAEC1607F3FA8
                                                                                                                                                                                                                                        SHA-512:225B841FFE73315884190384FC3282248215DD413B16B3D82E22D1224BC8AC0EEB57DE2D313C8FC0C0AE6B191930DAEB01601364B6D4392808A8C4256F7EE7AC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):384894
                                                                                                                                                                                                                                        Entropy (8bit):7.999386459973609
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:v5tKfF+xcaAeibHkWm83Bb5HKVP92+imBs7H8dPkoFuvjQ2AhWy90sW1WTHHVwM9:htUF+xcsibbLLPUWOPkeuU2AsyjW15PE
                                                                                                                                                                                                                                        MD5:ABA4C6047CFEC27B6DB13E0F103F4BDB
                                                                                                                                                                                                                                        SHA1:916CB99BF2828286034BA6EF63891AABA24770EF
                                                                                                                                                                                                                                        SHA-256:B88271E1A2DF3FB14FA862922ECE74E403C6135DDE18BD58EE1F2003992F1D38
                                                                                                                                                                                                                                        SHA-512:6AD7D25781EDD630E2DD187A2523ACD3623ADA5AF5BBB822AEDE3643BA4A04E191B7E2B31DE78E362B9AC44A38A917B19C19FEBEA4EBC1E963F9F85BEA61DCA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....u..Y..p.........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(.......8..........J..0....:........ggZ.......(;4jy.../...l...B...J....,..7;.2a..z.^.....d.....R.....B....U6-.j.D.}..7(..O...{<...^...R...$X.......g.u..C".............U...;...K...{C....k......MA0..$.X.JK@>Q.omT;.......6...%H..L...|.u"w...y.$.|].m.X/0.Ev.c$....X.;@...$^L*...g$...-.t...z>a..8g|O.K..b.?f?.......b........lsJ.*0..{zV1..U.*...=..C$..8a.....@(..s.r...k.....6.*...op.%....Z.!.7M3.C.>.aH.BS..?lB...SW...h.......hB...cT^uI1o..'x..eq)5@.[....$.]......1.LPx.....Q..{z..Ynm......OKr.S.S$z..4..a.D..R........2$...5B...;S..Ys...a....h.. .M..e.M...>...P,..Q.H.P.Yj.).I.y..ZC|S...'..U.]..r.".vA....n.>#...1.v..,Q.i.... ..u.p$.b.?...8<..v..o.*.Sf<r.Cx.C.'.#3.RL..kw.,..(Wz...L'..@..]K..z...E.....a....a...kG.P..#.D.....DKp.{;.\.*..R....Hp]...m<5.6.sjq...!.55.....|8...j...F...Lp.I...../.*.....Q..VR.0x..`.j*...j......%qc..2......WG...7_.d.V....7)@g..~.8M..=......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178728
                                                                                                                                                                                                                                        Entropy (8bit):5.825238453021458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hEEm/xCr5UQFKa2kf9ZSf4aP8gCko0Dcm:hE7/xCwa2C9ZAt
                                                                                                                                                                                                                                        MD5:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        SHA1:C686501C1CDE18346B237C83450333E95570B844
                                                                                                                                                                                                                                        SHA-256:073E4CB181DF1D54B75277A52356A8D42573D61E878710BACDA8F2B0931D08A1
                                                                                                                                                                                                                                        SHA-512:C933C7C1FA3DEFE69CB1A86193A04533068C3695DCC14B235DA9E9342C5A81245060C72669069F2A06410DE7AEA1CABDFBC41B410353C597A731250E00CCBE93
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.Tg.........."...0.............".... ........@.. ..............................i.....`....................................O.......................((........................................................... ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H....... ...x.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWYn:WB
                                                                                                                                                                                                                                        MD5:F647BC6B4E05B062BDE5A2F379B438BE
                                                                                                                                                                                                                                        SHA1:17FFC1B640A9AD0A8DC087CCA6C99478197EBAA0
                                                                                                                                                                                                                                        SHA-256:5F46695D90CFFB577A2961A23BE6DFAC09B39BFB2B9CBA13E5327407EE3557B6
                                                                                                                                                                                                                                        SHA-512:7EDB51CEFC77A67EF55093AA31D5C8AC899A6681D53AE6300132D851644CB15A0762511C61378C4C8C8C02A1B83A704E834C627B0998673085357A04599280AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=38.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.1801112962149105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:sJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762OO:sQUm2H5KTfOLgxFJjE50vksVUfPvO1YO
                                                                                                                                                                                                                                        MD5:14FCB3F21FFC0FF3FA9F3C1CDEEFAE9D
                                                                                                                                                                                                                                        SHA1:6FD620BFC789F753E52E458A01E9522F3651E30B
                                                                                                                                                                                                                                        SHA-256:4C9AC64A4044D378D198A4371C7B346F891BF649EF21104440B8B4106AD0494C
                                                                                                                                                                                                                                        SHA-512:F3AE77B31184EDBA0AD2C97035AA96D2A28C77EBEF1CA7B4F26751DA606D2A0C9E0C636D51B44E1984BF6FEF3BECE596EA3CEDF3F901276CC61718AD3B20CFC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................{.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704552
                                                                                                                                                                                                                                        Entropy (8bit):5.953924597885397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:r9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3g:r8m657w6ZBLmkitKqBCjC0PDgM5w
                                                                                                                                                                                                                                        MD5:E337926D73F2A989AAAEE4C76709B750
                                                                                                                                                                                                                                        SHA1:11236A81C756E4137BC9400B62A93C4A2FA16BC1
                                                                                                                                                                                                                                        SHA-256:95E8D460402889DB8D3A87E4AAD117DCF829AB4FDCFB5B53589325E7DEDA7EB4
                                                                                                                                                                                                                                        SHA-512:ACDF3121F79BDC7ECE72D9539BFD3CD0436F406529EDC1D92ACB16A1EA212FFEEADD1839A38F013FE898F2B23B9CCC92C4A7DDBFFCD7B6F808388307072AAF7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...................................`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):4.655762678423969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hsShKY4MsShLP6SX9NfzyShaKf0O63GShaKf0Od:P4qBX9Nf16Fd
                                                                                                                                                                                                                                        MD5:0852ADE20D6930BE0A4A302F62B17565
                                                                                                                                                                                                                                        SHA1:8B78AC2858EB9DF751953428660533112094F099
                                                                                                                                                                                                                                        SHA-256:48D4AF5AFF13292F948978798C0E933C857702DABFA2433F4BD958C469471A7E
                                                                                                                                                                                                                                        SHA-512:4D2AD041C1ED04D33F793B850E1265C781FCFE82F1832D824FC5DB8CA6DE3F879D5A4F944280AEECC6302A361E4907DCC9C01BA8890680D4423F7C94D5451522
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................TAgentPackageAgentInformation, Version=38.3.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]..............j..h5 .H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.857016588002657
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:ccWmlxU9e:tHUA
                                                                                                                                                                                                                                        MD5:AE5689F4CCCFF0E7C24591EE69AAB2ED
                                                                                                                                                                                                                                        SHA1:4CAE587194868EFFB050471D26BA6904D6C584EA
                                                                                                                                                                                                                                        SHA-256:991CD18DEFB5073CE3DB5B6339573AB13C56AE1688B5B56FCA8B4E62A9552236
                                                                                                                                                                                                                                        SHA-512:81E827D371E541D7B9B8A2FF1894AD7CD6340CAC883EE894B6243C780FDA4564678E6A2A7030082205FCC524BA44E88F08472CD7BBAA20DAC6793C5191E45DA2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.05C93963C330CBAD2D15E5107FAB33A2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.8861465882499107
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1SiWgLNR:IiWCR
                                                                                                                                                                                                                                        MD5:E72C3ABAE38B7E08ECBA06285A0AD28B
                                                                                                                                                                                                                                        SHA1:C03CD285CFB0BBA7E54DC0ADAE239B46B2274261
                                                                                                                                                                                                                                        SHA-256:325857691F11316854BBD39873EEE89D971384984DDA801BDCC59F08C07B45CA
                                                                                                                                                                                                                                        SHA-512:6F3703CD369DE07A96D46535ABE2528F1C22823903FD0CA650BFA5F61D3A63D64363B59AE072DDF4AC03EE2AA7B7355671DF2725BCE57349D1FF552E099F346B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.ECA830C1543EEA5896618FECF968B0B4

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328916
                                                                                                                                                                                                                                        Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                        MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                        SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                        SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                        SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27696
                                                                                                                                                                                                                                        Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                        MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                        SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                        SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                        SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                        MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                        SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                        SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                        SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=17.14

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                        MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                        SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                        SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                        SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                        MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                        SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                        SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                        SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):833993
                                                                                                                                                                                                                                        Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                        MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                        SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                        SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                        SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219696
                                                                                                                                                                                                                                        Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                        MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                        SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                        SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                        MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                        SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                        SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                        SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                        MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                        SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                        SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                        SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                        MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                        SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                        SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                        SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19
                                                                                                                                                                                                                                        Entropy (8bit):2.8397755396455087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:FS7n:87n
                                                                                                                                                                                                                                        MD5:3557D16D6023F0AA71A9ED69F94E8D9E
                                                                                                                                                                                                                                        SHA1:799D27B23392AAAC40290F8A7160E8223FA0EB57
                                                                                                                                                                                                                                        SHA-256:77CEAF35FBD614480242D3FB1603AD6E89501CBADE1396CFAE47B87CE7FC03E9
                                                                                                                                                                                                                                        SHA-512:E7B10AD94F6F82F18677FD66DCD92A97B2C32EDD16C1A98712D2860A606E19FD45E8BC4D27DF71C207B7A60993138D02459E80A8831583212EF4DB3C8195C169
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:19/12/2024 09:00:29

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):499760
                                                                                                                                                                                                                                        Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                        MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                        SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                        SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                        SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                        MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                        SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                        SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                        SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                        MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                        SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                        SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                        SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):149552
                                                                                                                                                                                                                                        Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                        MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                        SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                        SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                        SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                        MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                        SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                        SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                        SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                        MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                        SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                        SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                        SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639
                                                                                                                                                                                                                                        Entropy (8bit):4.758840388234917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:OuIytXEWIy6XEOMrDb4ECuZDyQgICr6Llji5r6LljiN4gLn:O+tXfWq4EwQCwi5wiOu
                                                                                                                                                                                                                                        MD5:14DD5F23696E23EA856FC06820045D31
                                                                                                                                                                                                                                        SHA1:3AF5AFA70BA9B2663A05539F41EAE4BB9604636E
                                                                                                                                                                                                                                        SHA-256:B07FDDB5518EDE583FEF7811E914BA70DAD93AB7E248C06EC3790F1272989BEE
                                                                                                                                                                                                                                        SHA-512:BDA6C03EC9AE11A1A16CDFF07766977EF92085730F264A6E06BE4969ED68AFEFF0F4DA66443FEABCF39D5EA00E9BA7619DBFBF1969010E12AD84D6CC7538B646
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:19/12/2024 09:00:25 In Program static constructor, before instantiating _logger19/12/2024 09:00:26 In Program static constructor, after instantiating _logger without using _logger19/12/2024 09:00:26 Starting Main(), logging without using _logger..19/12/2024 09:00:26.378 am: Info: Before PollAll() call written at: 19/12/2024 09:00:26..19/12/2024 09:00:29.691 am: Info: In PollAll() before Poller.PollAll(false) written at: 19/12/2024 09:00:29..19/12/2024 09:00:29.722 am: Info: In PollAll() after Poller.PollAll(false) written at: 19/12/2024 09:00:29..19/12/2024 09:00:29.722 am: Info: After PollAll() call written at: 19/12/2024 09:00:29

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1246506
                                                                                                                                                                                                                                        Entropy (8bit):7.999702247108497
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ony3ipTOpSfZauTZ0OH58yGrxiVj3WqHvYfUmanGGJFE:OnaSOpGoud0OHGliZWqH3bn/E
                                                                                                                                                                                                                                        MD5:E74D2A16DA1DDB7F9C54F72B8A25897C
                                                                                                                                                                                                                                        SHA1:32379AF2DC1C1CB998DC81270B7D6BE054F7C1A0
                                                                                                                                                                                                                                        SHA-256:A0C2F9479B5E3DA9D7A213EBC59F1DD983881F4FC47A646FFC0A191E07966F46
                                                                                                                                                                                                                                        SHA-512:52B8DE90DC9CA41388EDC9AE637D5B4CE5C872538C87CC3E7D45EDCF8EFF78B0F5743AB4927490ABDA1CFF38F2A19983B7CCC0FE3F854B0EACCA9C9CE28EDA75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37936
                                                                                                                                                                                                                                        Entropy (8bit):6.42035670242574
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:GlK72yzFcoUzzxYeHTxwx6/ufD/EpYinAMxCoG:3e9YeHVwYe47Hx6
                                                                                                                                                                                                                                        MD5:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                        SHA1:C94D106BBA77AECF88540807DA89349B50EA5AE7
                                                                                                                                                                                                                                        SHA-256:30271D8A49C2547AB63A80BC170F42E9F240CF359A844B10BC91340444678E75
                                                                                                                                                                                                                                        SHA-512:3594955AD79A07F75C697229B0DE30C60C2C7372B5A94186A705159A25D2E233E398B9E2DC846B8B47E295DCDDD1765A8287B13456C0A3B3C4E296409A428EF8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..`............... ........@.. ..............................P.....`.................................Q...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H....... 5...I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1295
                                                                                                                                                                                                                                        Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                        MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                        SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                        SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                        SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190700491174632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxBg:h2bYbYSWd85I5sSakFQhHL8/g
                                                                                                                                                                                                                                        MD5:266A4736FE6DFEADBC40C66AF39D3871
                                                                                                                                                                                                                                        SHA1:D090E63810691F78F760E55640B81958BC715183
                                                                                                                                                                                                                                        SHA-256:4D6091013BF285AF05D901BA130E86D8CEFDB4E387540C3814929C1277C2DDF8
                                                                                                                                                                                                                                        SHA-512:AB43966CEFC08A8FE9B7A1787948F55A73B243CA6DE7259FD42E5BD4ABAE61D562C9642770708BA38AB6118D3755741529ED51E7DB2A8A811BE8B876F2922A8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998846079851237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:GiLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv:LZ0PMcjrgv
                                                                                                                                                                                                                                        MD5:C6339BD38794C9EB831004955DE64D16
                                                                                                                                                                                                                                        SHA1:EAE04876F94347538735F853B7F14778CB75180F
                                                                                                                                                                                                                                        SHA-256:855D0323807390D8F499355D0030685FBD6DC6939218A15059CB3E9C744AB1A4
                                                                                                                                                                                                                                        SHA-512:F62F76F305285F1C206AEFB8418E48BD2074DEC768C16986353305F34D17524E9A9AEA29AAE11B0D927247161F21039933B3EA68F2BC7F40623B471E123B33F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ...............................+....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408406581403349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCl5E:h9MYn1seLE8JFMLcyMH7Hx+E
                                                                                                                                                                                                                                        MD5:7F8418A330DA75F653CC1A50F0B91175
                                                                                                                                                                                                                                        SHA1:7448DCCCDB8FBB1CC827FFE4861C7BD529EE85F5
                                                                                                                                                                                                                                        SHA-256:BF780EB84424039CAB84C818D21A402369EC1BDC9136E1CDBB60486343A07723
                                                                                                                                                                                                                                        SHA-512:3CAC7066B3F210D826383CA000CDC581C0CA193800C97F2F34C6139BB4880A12A485604344EF22BADFD4609F2A0E7645E81DECFA8C5BF8C6DF4406BFEE6DBFDA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.1536791121281995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:4r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYyD:4hpp9xxIBeXGfvYyD
                                                                                                                                                                                                                                        MD5:697D8BC281B58B1FCEEC721B9BC01059
                                                                                                                                                                                                                                        SHA1:DA468B41FDADE096896B6835645DEFF110F438F5
                                                                                                                                                                                                                                        SHA-256:82C4EFE948B812C844DE4950130C292CDC49EDA42F447E17DE6CC451A1F5135E
                                                                                                                                                                                                                                        SHA-512:95877A2E690E083B256F71E376BE757FA0D329A6AAEC193461D325C63867BCE9E72A648EDB17A8817198C5224853541C65F664A6FFB966AE35D9E558F681EF46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ...................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):702512
                                                                                                                                                                                                                                        Entropy (8bit):5.943194897994663
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH3:vXNL2PVh6B+BzjmcX
                                                                                                                                                                                                                                        MD5:F78DB2C6B247E0FFC215A44AE88178D8
                                                                                                                                                                                                                                        SHA1:12FB14AE1CF731115F07076AD939A2ACC57A9920
                                                                                                                                                                                                                                        SHA-256:1DFF434970F52326AA5E0C1164AB76A771A1EE651E37166DF8A3BC3F06204746
                                                                                                                                                                                                                                        SHA-512:AF3F67FA56CA89111E389DE17F9030D979827E8B60AF86E991115B07759D6DADA1B74ED870B5163474192BF58A5FA69EBFB03DFCF087EB88E1E72EC26BB578CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3585766
                                                                                                                                                                                                                                        Entropy (8bit):7.9999279847863685
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:XOzuWD7XM4OvRQW56YWuCrMXa7ANNBvlXWKCI:XauWD7cjGKWuyOr
                                                                                                                                                                                                                                        MD5:E010D1F614B1A830482D3DF4BA056F24
                                                                                                                                                                                                                                        SHA1:5873E22B8C51A808C06A3BBF425FCF02B2A80328
                                                                                                                                                                                                                                        SHA-256:98A98DD1DF25D31A01D47EAF4FA65D5F88BC0AD166F8F31D68F2994B4F739A9B
                                                                                                                                                                                                                                        SHA-512:727877929530E08062611868FD751D1B64E4C7D28C26B70F14C7CD942B1AE1579CBA2A2EF038BAD07032EF728AE277963FFB3E1AB7A5C28351326FABAD84DAA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......6>Y.^.S........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0........p........_L........v.w.../.E..l1.=.8..F.....|..%J.....QB..+.C#.(...Y..*FC.j./.?..#WJ.T......3.P....7^p5.g.`.. .m.h..U..(\.OlC.U...,...l~..Noh.q....Ai.'.EuZ..!z..5w4..&..4..b.__...7u..^.Wv.1.:.|....}..I....F..W..Ko]_j.mk..v..-....CW.....%x....&...o.:I.~.C..#%S..U...f$..n.........WE.....>...d...._M.|....(..?..i. Z.d......{..C.P....57.QR...._iN...r.t..IG..tFs..r.%..b.I.C......`Dd..8U.h..T.C..q....7.i.L..S!m"..).s."..H....W..b....X.l.C..'..#M....gB}k4..{K.&..s.<.^..Q....Q..c..&..BO..W.".\...!.CR..,o<.X>....,.-.[.^1H^r.)q. L..#.?...0..j.,r.`#..Rq"K/.B.:.....V...hX_..ja.........[.)&....C...../../......IZ2..v .@G...*F....nf. .@w.9o.,.....X.i.K/.}\!..7.a.w....:.x.$gE..DG..V...t...K...M.$...b..{.u.4..1..]."..o.n8dQ<...q.....d.(..Y...U...../n.....*y+..%.+.D.}W.&&.U.Z...c#.mU(.......d(.......x....r".g/O.....5..|(p..XG...'7].3.A.Y.&.&D$.".|...D..d\.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398384
                                                                                                                                                                                                                                        Entropy (8bit):6.2554691460003795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OLrnDNjiDx+xdShTv/51LtpYbgPuXhN2sHY:OLcDx+72/51+cuXhN2Z
                                                                                                                                                                                                                                        MD5:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        SHA1:11AE92FD16AC87F6AB755911E85E263253C16516
                                                                                                                                                                                                                                        SHA-256:01F464FBB9B0BFD0E16D4AD6C5DE80F7AAD0F126E084D7F41FEF36BE6EC2FC8E
                                                                                                                                                                                                                                        SHA-512:540D6B3CA9C01E3E09673601514AF701A41E7D024070DE1257249C3C077AC53852BD04AB4AC928A38C9C84F423A6A3A89AB0676501A9EDC28F95DE83818FB699
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../............"...0.............2.... ........@.. .......................@......<.....`.....................................O.......(...............0(... ......0...8............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B........................H........0..d.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1459
                                                                                                                                                                                                                                        Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                        MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                        SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                        SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                        SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWQn:WZn
                                                                                                                                                                                                                                        MD5:5796D1F96BB31A9D07F4DB8AE9F0DDB3
                                                                                                                                                                                                                                        SHA1:93012724E6CC0A298838AEDE678806E6C0C6517D
                                                                                                                                                                                                                                        SHA-256:A90D255CCE3B419641FA0B9BA74D4DA464E0CE70638A9C2EBA03D6B34FCA1DC4
                                                                                                                                                                                                                                        SHA-512:890112DDCB3B92B739C0DD06721EFA81926CE3AAB04C55CDADB8C4E6B7A28C9796F08F508249DB189547DC4755804AA80CC8B104DD65C813A0450AAD2CDDA21C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190879178656762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxm:g2bYbYSWd85I5sSakFQhHL8g
                                                                                                                                                                                                                                        MD5:A86884A9A1C75604B2114E09B738FCF9
                                                                                                                                                                                                                                        SHA1:A82B444BF09CFCAE36F532C4EB4B8C5EF0933F6A
                                                                                                                                                                                                                                        SHA-256:EEF751E3B01C4071A1BA34E96B663E93631C51485AF31055C3EB2F75866F9FEC
                                                                                                                                                                                                                                        SHA-512:4B97A3D4C37129440816D0524CDB1C485AE68B6C6735857C157D7EA76ADD91241B7185C831C646713CFB4DFB3EC95E577F98088D08ACBB0313837CA584474299
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.997149012234495
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:S4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsfn:S4auS7S5Ea6WMcpu8Mn
                                                                                                                                                                                                                                        MD5:0E5155ECBE5A1797644F1610DAA15583
                                                                                                                                                                                                                                        SHA1:89677E0F9443D52C73D4E0B91C5AEE5215EC4E88
                                                                                                                                                                                                                                        SHA-256:9BAF23C814DD100B2AC9511C9A2E5302DEE1FFB1807DEA021E1D317BA36901CA
                                                                                                                                                                                                                                        SHA-512:3F80A871547BDF47F0A5B58F54B9597D0894580FCEE8F53DD08C8A80658697FA9C9426AB8D47A40B0CDCF53D11769C654D26A3B530AD39A3A6E37D468CA309D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................d.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240342116807372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:iF+qo7mDEwj4NXLGcfgruFcg7HxRM7
                                                                                                                                                                                                                                        MD5:F64746D633211D129AEC5DB988BCC9B1
                                                                                                                                                                                                                                        SHA1:78E7047265B0DF15C54FE84261D2A0B3568FEF31
                                                                                                                                                                                                                                        SHA-256:9EC285FDB857D5618FBD794464135BC56823B08146EA41F24FCEC3135F0E1C0B
                                                                                                                                                                                                                                        SHA-512:31BCE8F3DC415F562354044BA490A9252E6C20CAA38D5162AB3929111566BCA7E97D609EACAC4712E814AA8AACFCB7B32360E4F6EE5521D6223DCC4617A5614F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408313907878965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCk15:R9MYPJS/16/E8/3A+++bF7Hx315
                                                                                                                                                                                                                                        MD5:1CAB625AAF9CBCAB46B1455BCA45EF4C
                                                                                                                                                                                                                                        SHA1:274A3B9134AA4530110F29C1858A85D86D4A396D
                                                                                                                                                                                                                                        SHA-256:1CB4C57049F47E3EEFB1C2BAB2BA34A17ABDA610DC3D4D331A9B33B40B00307F
                                                                                                                                                                                                                                        SHA-512:BF4A53BFB9DCF13C87ED6E79640371908C73E7D67765B724C509B4EB7F3F66962F0883094640497CCD2FFCD255D1E46A50B33850E8B0B2D1CC684D40DE24F5D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155184
                                                                                                                                                                                                                                        Entropy (8bit):6.247374284901675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:A0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YkY:1P80zukOltwW9
                                                                                                                                                                                                                                        MD5:12572F87CCF0E40406B3554A1A6D3905
                                                                                                                                                                                                                                        SHA1:C9E238EF065D38400D084265EE056B2ABB694224
                                                                                                                                                                                                                                        SHA-256:6FDB589EBADF91A869EAA3A850B0FB17A8AB96BED78422E28F7EFAF63BC040F9
                                                                                                                                                                                                                                        SHA-512:D397888AACB1B787662B1678A24E24DDFA7A42C5363AC673706934A1A42E13F5ED55956D478FAF0998C77891A64F5F26E85DCFA7FFC0A6AE87DF26B3C24C4314
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030878409231256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:x1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sA:YIzm6pOIgvr75
                                                                                                                                                                                                                                        MD5:44EBFB8CE52A4EFEDF07DA6875CA230E
                                                                                                                                                                                                                                        SHA1:824585DB12A35588F25C0CC5DA77EAEF94011CAD
                                                                                                                                                                                                                                        SHA-256:292F94823959CAFAAA77B81C0A490EA9ACF90B2553727BF3E74C1AE3A7F8AC01
                                                                                                                                                                                                                                        SHA-512:89DD6F5E827A9E23A8F7DBA8F89F55F2A01B290756AE7A6371A5934E9AFC6B3C5702DC0CADAB061405AEA4F2AC275902D8094E7A0ECDA29C8A438C6BCE46ABD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................`.....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                                                        SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                                                        SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                                                        SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153589479592355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvY2:Qhpp9xxIBeXGfvY2
                                                                                                                                                                                                                                        MD5:53594510735A737A2B25AF4B396EFE8F
                                                                                                                                                                                                                                        SHA1:3F4664E88F44BBDCA29AFFB78D866A76ED128965
                                                                                                                                                                                                                                        SHA-256:DFBBDBA40745B2FCDEC5973D1BB0352DD8618996A6231411C48D87D11C63D07A
                                                                                                                                                                                                                                        SHA-512:D9EBC5B83D8727E596EA6A72C49F58C5CB2BC02EC24B432709BCAA7C1C49E267F85520315EF644EC75DC24E3A5D49F64292A295822B27EDEFF452F552D8B89AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071511083932349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:o1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQs:o1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                        MD5:286642CD396C5B6CADC906B112B493EE
                                                                                                                                                                                                                                        SHA1:CB625FDBD26798B3042BC5CFFD010F4E73CDAF1B
                                                                                                                                                                                                                                        SHA-256:004BF709595E808AE59558AE7510A40277B7E31D99A5580B0E07F136EAE09130
                                                                                                                                                                                                                                        SHA-512:49773E5AD432F893C559308DA144596CE1DFB967DB5FCFB1805528CC7535E70A181ED8801CAE43A47B58656C9925A236B06A4F2C67802A1A875A3DCE3C9002DD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960469418569573
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUD:2BA/ZTvQD0XY0AJBSjRlXP36RMG6
                                                                                                                                                                                                                                        MD5:B61A163EC8F1E6A3A3572A90BA23F7CB
                                                                                                                                                                                                                                        SHA1:467FBA9F1C171B58B76F4E9E24ABA1CE5C91D02F
                                                                                                                                                                                                                                        SHA-256:87DA900259BEA3BB65D984FB6FCD3134661E3EB0883EBF24981D50CA5D36F51A
                                                                                                                                                                                                                                        SHA-512:87EADB61D95EF67CEA0EC8CF15C2E285AFF8C92941ADB47DBCE6886796DE45B4940EFA803D2A9333FADD09473E1B1A34660042D12562FB07EAF4A59C401244CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......n....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293424
                                                                                                                                                                                                                                        Entropy (8bit):6.121629065121692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:admT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yB:adc7N/WkQHr64B
                                                                                                                                                                                                                                        MD5:3362FDB62A7980CA70C44B4DBDA5BE9B
                                                                                                                                                                                                                                        SHA1:77B328FD868E9BE19165C39B541E815BAD1FE13F
                                                                                                                                                                                                                                        SHA-256:A6B74A797384F89B692F2E1027A3F73B4FAD2A97914208158869A33068132A1C
                                                                                                                                                                                                                                        SHA-512:D0441E5C747707434C02A64E8FF3A49EDF33CFF2C9D22F2C22E8BDFEBC30A3CDF79B2ED96B8ABD819ECD042876BAA77C32E119EBB05BA0ECAC73DFE2BF971E86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................k.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190725872261733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ISOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYl5:XuQlBAMW0BvltxZ66
                                                                                                                                                                                                                                        MD5:66C97A4217593113658977F5AEFC18D8
                                                                                                                                                                                                                                        SHA1:A7E4FF9BDB3800C1E93A0D521B53E344A10699FF
                                                                                                                                                                                                                                        SHA-256:9AD65CC593BFC60815124C6377A8F3EA4F031BCA01C688FB543B50A2B6418764
                                                                                                                                                                                                                                        SHA-512:D2A474718A38AA0EA738200D7584A5C21552DC76428176026C5509AE606FEA534F4AEABEDF93D5BAE5735754D82B2D93E4CFB67BCFEA9A435147D7BB4B1F0722
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................?a....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117308680869445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:QZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHe:Ggo0WPVTXg+
                                                                                                                                                                                                                                        MD5:A6D30251ED124D7656F523A7DF177D09
                                                                                                                                                                                                                                        SHA1:48092D267E067C1967B5ACF1AEBD9A18F0B91515
                                                                                                                                                                                                                                        SHA-256:EC81827B885C0B109AAA3882469BB41D26871274B2E39D3B227FBD18858BF6A3
                                                                                                                                                                                                                                        SHA-512:466809068B5813AC5531D9E5C76BA080A3A15B0D1AFF2A7187149CD5366D990DFD07DF1D51EEB8FCC656ED5C2D1C099AC32E0416F219FC38B64BD1A2351EE502
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.677526036924594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOq9tH6:guhMaVmzDC67EpYinAMxCQ
                                                                                                                                                                                                                                        MD5:8F678B241B955CF86CF65136ADE90539
                                                                                                                                                                                                                                        SHA1:DFD92464B9C5D6822062721C7C3497CD30850CC4
                                                                                                                                                                                                                                        SHA-256:15F8EEDC717B18D1A43BB3295BE6787E0DF002C284A06A4B9198851BCCFEB7F2
                                                                                                                                                                                                                                        SHA-512:482E6E33F22D7DC68D075600E3C6131A0B563796E34BEBE6352BE8455BD4ECC72F7B682C3E203FEE9CED67C78B60A96B58037CA7499D4F0F86E0B33AB836F048
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):409136
                                                                                                                                                                                                                                        Entropy (8bit):6.098204637389941
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc17:p6heZBJm333M89QA+
                                                                                                                                                                                                                                        MD5:5B3639406ABB5AD7F16A90124B708862
                                                                                                                                                                                                                                        SHA1:466DB9D6BC5F2A8EB205E5F3A7F2EC8C52809597
                                                                                                                                                                                                                                        SHA-256:83717328623F05F5987DC258332BCA21C1F2858B7CE6B834AF5DA687B0948847
                                                                                                                                                                                                                                        SHA-512:F10717408E0140C8DBEFCCE9501CF03B86CECD32F2B55770879C28E21D793E45BD8B7EEED52E56E3386000A7BEEF7F0BDD05EBEFF99A44D1056512F48063F71C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ....................................`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.234968936412768
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWu:3zpjF0/t043e3vggr83jMYa/hU7HxVu
                                                                                                                                                                                                                                        MD5:BDFEF14C7A661E237F27B79E4FE950F6
                                                                                                                                                                                                                                        SHA1:83F7DC1950211EBEC2B326D0778E6A46781CF892
                                                                                                                                                                                                                                        SHA-256:689AF98555A3D5A36FE8841AD39F9196F60A6A5400A8CF41E6E0997F47E675F1
                                                                                                                                                                                                                                        SHA-512:1E698E4E1E6108524F48B6ED7720E0EE239679546FB429F415A52875C8FA0D5C0B2D8C3EE6F523D1B7E875D1FACA83B6A0EB5B62C0DAED414BDCB36FE0D5C043
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................b&....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179921646668756
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ils:Yh0qjC5RMOHO420kN1X
                                                                                                                                                                                                                                        MD5:8DDC05CED2922285C9037C7D503A86AA
                                                                                                                                                                                                                                        SHA1:AD66BA39BE8639D86877B515A68EC3D7AD3E7753
                                                                                                                                                                                                                                        SHA-256:30D4499D9F96D1B081C5A8B5F9D9792900DE6767243CBEAD81F6244C33C799E0
                                                                                                                                                                                                                                        SHA-512:6B7E9AC11076C4FAEBF6F51610023BAF0F513DD0680CA2A07DA9AE5E6F6AC42EDBF8CA8F9ED210AC5F3C7D280E8ACBBDAFA4C6916ED2003B9D94693587EEF656
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.676696708568243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Th06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBVmh:Ty9eEpYinAMxCAy
                                                                                                                                                                                                                                        MD5:2D491883E24603B382FDAD8840272070
                                                                                                                                                                                                                                        SHA1:78C442E11EA0B9ED3BBD09B19E6A18CC559CA58E
                                                                                                                                                                                                                                        SHA-256:EDF076BA91F6F5A808879D94A586D1BF78D5D0C8FDCD5399DE36FB6389301886
                                                                                                                                                                                                                                        SHA-512:0790CA5BB187AEFE4E5785C528C68E55EA4AFD642101A77A1D983599BC42AB4423723E910A0265CD9A5D3C7DFE0C9E9794DD6F6E8228B488A384647643C09C79
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................w....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.332801634669375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCr/:knvXYcIh6yFIFBYpc47Hxk
                                                                                                                                                                                                                                        MD5:B62DB814A8E1C5C8F4DE32F142D7709F
                                                                                                                                                                                                                                        SHA1:DB5998A9C785E77A1152145615213EA31E06B289
                                                                                                                                                                                                                                        SHA-256:F3E5DDD22B8F044C9B45D99762F2A339077790AB049C1AAB152F70BC7127466E
                                                                                                                                                                                                                                        SHA-512:0F7DAE5AA68ED86A574F70478F99458C4A52B1913D232B20A58045EB1E49C83B9134DD90335FBCBEDEECF691EECE5A137FE06FF9F2F6B9D0607FACEA2C0D7C5B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... .............................../....@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955263962444665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq6L:67N1r9KGI04CCARLq6L
                                                                                                                                                                                                                                        MD5:F0A06E07C21B485434202D325B3AA058
                                                                                                                                                                                                                                        SHA1:6E4A0A572E3CA5A5B23D4633CE63300E3BB39658
                                                                                                                                                                                                                                        SHA-256:955FD5B1B046AFC9E62E2D0CA4698818FE1357EA764977D7A9B4A44C1F657169
                                                                                                                                                                                                                                        SHA-512:B398A6A66F184193CFA635D6B5DBA9ADB391782F2A82F4609ECB161A4340DC41C82F22A98FEB69F594B7DDF9FB677711BE1FBFA4D796146550E92D22DCA14D15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4019
                                                                                                                                                                                                                                        Entropy (8bit):5.253517905437818
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:vgDOKLXg8OCgFOtZgYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdS4dh:4/Qv/H8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                        MD5:4D714C870D7B6329C9BFBF6517CE88EF
                                                                                                                                                                                                                                        SHA1:C48702010193B59B40A0FE016CC234ED78C106E3
                                                                                                                                                                                                                                        SHA-256:438108871989BA95FEF727CFF15C7CC2C1B5D93EEF4529B05EE5CC47AED9C3A1
                                                                                                                                                                                                                                        SHA-512:0471F3FCCF04EC5DC6C5517B69D1F07DD510A175439C254D92CAD046C15F8D8693CDE68B44D0A9C988BA56FD985286B25FDA9D0E534A746454E3BD53CFC21AB1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-19 09:00:23.2485|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-19 09:00:24.3423|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-19 09:00:26.3892|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-19 09:00:29.5454|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 20, database pages 14, cookie 0xb, schema 4, UTF-8, version-valid-for 20
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57344
                                                                                                                                                                                                                                        Entropy (8bit):1.4781478507445867
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:N5PsveM5ptzy8OO7QzyO+pztzy8OO7QzyO+pxtzy8OO7QzyO+pE:YM
                                                                                                                                                                                                                                        MD5:B829D1145591E50A81E1900E05ADDD58
                                                                                                                                                                                                                                        SHA1:3C6F64936DD0BE8BD484BDBBBB2B2C2737D5D132
                                                                                                                                                                                                                                        SHA-256:90A2112D04EA95EB9A2FAA1B3822B9D01CE02B3561AD755F1E3786AE14300B5A
                                                                                                                                                                                                                                        SHA-512:DD181502CA72FA2287E2DD67E32BBE2EBB5182CA8CF07B48990388C10E7475720DDC450C9CAE60094FFDF7D72B4C4FDC46C9D6C7AEA0119FBD5D447C55C22FFD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                                                        Entropy (8bit):1.8971215269595676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7M8qiFu5C4OZUlFJNGdNGveXXQXN+5NG1ZU:7tNu5C4OoNSN1eN+5NmU
                                                                                                                                                                                                                                        MD5:A3FF79BB2C6C881157A6BA22A415EEFC
                                                                                                                                                                                                                                        SHA1:126274868B34B7FB7E56866DE6B88225F310B8A1
                                                                                                                                                                                                                                        SHA-256:1C88522FC923A3938D885ADB9DB5BECF94F1DAD28B8015C58CFF667263927AF5
                                                                                                                                                                                                                                        SHA-512:2452E269A25992EF7E53D3E96115E83AB1D773D30C1DFB0D2A69252A4B7C6C0E35C2D75F5504DD73DF30C64046C1241525C599BC7B0BB185EC637B187D1174BF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c......#w-........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1799216
                                                                                                                                                                                                                                        Entropy (8bit):6.520454988999628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:GuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFY9:RHmUMohVWpu8ul0UkTgNCfyo3G
                                                                                                                                                                                                                                        MD5:CBA9D50085EE939B987CF758C727DD62
                                                                                                                                                                                                                                        SHA1:DDC0FAF68995883AC754662C59C4295BB0A64E3B
                                                                                                                                                                                                                                        SHA-256:75E47A697A46E31811FAB8C5D9FE1ABA6BA095B6D13DC79A8C848BE308917C37
                                                                                                                                                                                                                                        SHA-512:A5F3D1B96535E0B523ECD71DC36FD3AF157C630874FF11DA29066C545114D256B14A5EE2BA725679C4192182D37DF6900AA69ECE228BAFCE909A482DFF43A1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................s....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1475632
                                                                                                                                                                                                                                        Entropy (8bit):6.791868709546672
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:TS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qC:6dwXpQdNVNDQubXyi60jXTW98qC
                                                                                                                                                                                                                                        MD5:3B462EFAACFAEBA904109B4FD3FE641F
                                                                                                                                                                                                                                        SHA1:6DB8785E94FDC2152895396CB9B3D3945DA5D25A
                                                                                                                                                                                                                                        SHA-256:1F9F620D4D7D32670073C335A2DC88A5A5DCFA7A5FF18E914EC6CD8EA983105F
                                                                                                                                                                                                                                        SHA-512:7295B1F7E4437729DFDAED5310EB26B5F4A8B96A2B97ADA8F8466712A69946BAADB2588071B51D661F4FD2A6029A2914E3DB73914BD2FE1C74D725F204063EF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@............................................@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2950466
                                                                                                                                                                                                                                        Entropy (8bit):7.998782979199986
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:xbG/HdRftau56Aie0UvSxh1NcXkFuTCjCNAbhnOYqIR83DJu51lPIq6YmtzfaQgD:c/9RfogeQqVNcrTLNkIX3DJcz7SaQov
                                                                                                                                                                                                                                        MD5:A3B618CCA61ED197743E369F5F2EC0F2
                                                                                                                                                                                                                                        SHA1:B960C72ED47514479432931852EE251BA2BB7C05
                                                                                                                                                                                                                                        SHA-256:3C1AEA4F44A249649C8B3773E29DB5F4AC940E6BBCB48990151F1879CB7370F9
                                                                                                                                                                                                                                        SHA-512:7DEEC849ABE74AA16FF54B265C00CC01C860D7B4A3F99B10ED64D7BB552991C7CC621A9857DAD5F85A9E3B00FD04D028B1599E678C6FC335FD8FC2DC807A5443
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......n.Y..7Z........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r......G?......;........,p..7P2r.V.\.t_@.=..-.._.R....]....a$...D......4.s.(`.A.<....O\.t~...DS....'....z...........a..xC.j..:.?.2...@.?g..@.V}.....K=g9B2....\...P.L........o....9`.Q.>V`..C&..-48....X3..X2J..oID.....mS..V...2..[..Uv.U]..lI..W.k..i.Sj.Q*.cg=.N.`.{0w.c....0...H../......V2...jA...y.D=..FiL.E....r.=Qj.h+...:.I.m.......O.......e.$.V..z..p.A. y.F..9?..q...6.m..{..q..DA...y.#0......w.{!..B-.....m..'Q4M...........g.F...<..X..+3D......r...o|.....K0...3..6.......v)............>.Q.........Xl..gCu.'./..7....`.Jr.......y..i...9.x-m.Pb.T.l.R#...ewg....L%j.6t...=.H.......^,&dX......cZ..ag....H&.R..".^....v.e.@....v.../...%9@=..~N...".._.+56....q..Z{...N%U^.d|,.K]s.@[.2.....Q..*.8.._.....~.V.+t.~....g!...p\8c.1...I...9j?.\.p.7....,d.....#..P..aN...5.].._7..5..O.......I`..s'....6..H...,..d.."(`.....&....l@.._...G.4T..Z7....o.6...u.(.a.-...h\.e.h.j6.L..O

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.376388174256496
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qpWI4FJ1CsZ1pL375SImXkmlkgGIW2W8f8Mn0DpQ8fz0m1NNyb8E9VF6IYijSJIc:UlexZT375i0qvT+b7z1pEpYi606v
                                                                                                                                                                                                                                        MD5:D8ACFFF68AB2B25E2BEBEACB8C26C594
                                                                                                                                                                                                                                        SHA1:B2B0BFD6C0B90495B0013D6F69144E1F841675F9
                                                                                                                                                                                                                                        SHA-256:DAF53A130F257E647ABFF99A883891B616C5AA6EDB8E81B1CC30F4CFDC910DD2
                                                                                                                                                                                                                                        SHA-512:E6AA3E8C054913BDF10F7998927E95F1E3F8AE67A570F648358954AF874ACF9F415BE712969C90F64B6C433FB0AE5AAACE87C780769DBC1B669FD11F79051A37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..@..........N_... ...`....... ....................................`..................................^..O....`...............J..((..........@^..8............................................ ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................-_......H........*..`3..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2006
                                                                                                                                                                                                                                        Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                        MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                        SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                        SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                        SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):201256
                                                                                                                                                                                                                                        Entropy (8bit):5.752384757578713
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:cwfnZYi3KYU6yLRgNZiVTC5dlwuIT2tl/pRLrPd3iqiTjw7RuHM6:FPZYJXINZCg/pJLNiqiTjSRg
                                                                                                                                                                                                                                        MD5:CDE6BA86139AE458ABC24DAD31A66465
                                                                                                                                                                                                                                        SHA1:36D1DF0BF16CC0EEDEA3118EC9993A3E6B0A65A5
                                                                                                                                                                                                                                        SHA-256:0FD22D6CDCD306538D9AD6E49A2CC4C2D6CC1D413097483B526419E55DD3FE09
                                                                                                                                                                                                                                        SHA-512:F4119BCA8C17697B3070E47BA672E0CE0A6AD4A4C0D358E6EE474DA02CC560A8B8FBEC8F17085DFA602D93FEDF2B422F70C2CC4C9AE6319CA6711BF220D56F7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Uy..........."...0.................. ........@.. .......................@............`.....................................O.......4...............((... ...... ...8............................................ ............... ..H............text...$.... ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H...........D&............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1780
                                                                                                                                                                                                                                        Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                        MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                        SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                        SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                        SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWB:Wo
                                                                                                                                                                                                                                        MD5:6473ED6D0D25B902FD8B7CEE34B2D260
                                                                                                                                                                                                                                        SHA1:5D0890CB19224079F6581D88C15B24E554364771
                                                                                                                                                                                                                                        SHA-256:1BEAAB7D9B210D794011D33238AA883B2A9A60FCD58A7FD6C29203289363392B
                                                                                                                                                                                                                                        SHA-512:543699EEB71F06DF84B401FC98AFB8CA6EE3A9E9D5F9B6FCCE54277CABA6CDCE100CCCFD2E310A30F274E73F2BBA161C5886D5599DEFA99CCC324540F074B265
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102440
                                                                                                                                                                                                                                        Entropy (8bit):6.190411276623129
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476GC:x2bYbYSWd85I5sSakFQhHLv4O
                                                                                                                                                                                                                                        MD5:7AE1430949A1C56AD042961653762263
                                                                                                                                                                                                                                        SHA1:75791D6326D7C82FDB27C680468D18C3F6B2DFF5
                                                                                                                                                                                                                                        SHA-256:38F922198A9B6557697F343C7024F542917D3098587F1FC9E9C755FFEC7D8852
                                                                                                                                                                                                                                        SHA-512:5338078891957549DFB64314ECBB798C389CBBBD6BBD258E98E4B865E6C2473AAB236078BECB742DD173A776A4A7B9A30C2936F558817CAFCFCC5C0358D9D520
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ...............................C....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95272
                                                                                                                                                                                                                                        Entropy (8bit):5.996467833078292
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:B4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766K:B4auS7S5Ea6WMcpuUBQ
                                                                                                                                                                                                                                        MD5:DBE2521C43EAD76AA4BEB5B9C7D2F59A
                                                                                                                                                                                                                                        SHA1:792146B5EFD12DDDBADCAE9347C5919C49438E2B
                                                                                                                                                                                                                                        SHA-256:FC0AE3A42341726D460309967DC68EC1BE492F2E88011D23049478BD55119859
                                                                                                                                                                                                                                        SHA-512:1348C8D391D5EE4DD38F5F69CFFEF01F30916E3C1F184BD23F7E088C24F1C19D121080FD2DADECAE09EB8DAADB6F2690C3C53B527011A0E45CDDF73F7308CB39
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.655011797541533
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jXh+/DtY2PLNyby2sE9jBF6IYiYF85S35IVnxGUHFeFlW9OtuYo:jXh+tY2jNyb8E9VF6IYijSJIVxaFmIU
                                                                                                                                                                                                                                        MD5:DE0940A5587A4484D0887A9E8F9525AC
                                                                                                                                                                                                                                        SHA1:A899252BCBA0A838D0ECE4B5424F20F7D55C4E2F
                                                                                                                                                                                                                                        SHA-256:57EFC5A6135C080291943EE3E54B42992AE3CFED361DE0C4CB0880D06F70E87E
                                                                                                                                                                                                                                        SHA-512:E2B90F6B89DD9FB3D80A04D4361BCBA24AA95E6FA539D3E9A298E53E63E8AF48342DBFA56DB12FF70812B4D86FA143A1CD361DB97CAE34483E8739D0D583C560
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ..............................H.....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75304
                                                                                                                                                                                                                                        Entropy (8bit):6.240548247823196
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:AF+qo7mDEwj4NXLGcfgruFcaD76j6G
                                                                                                                                                                                                                                        MD5:EA66884148B982C181938D224D2864BF
                                                                                                                                                                                                                                        SHA1:3F10A7B2D40028814C9CEE4F1B968D35615FEBE4
                                                                                                                                                                                                                                        SHA-256:A66431B4751E904E6534C70A214DF47CFB6F277A638DC273578B21E4AFF30F97
                                                                                                                                                                                                                                        SHA-512:D6A7FB617F369A9775804585680DECF859588E216A7084ACBEF19CAEC62C32CBEF5427E56FDED786B4F1D8C5531BE1B48CCB6941EE2AB7CBD9FCD1B2CA6D656D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.406947621251296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:0QMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi606:09MYn1seLE8JFMLcyXQ763
                                                                                                                                                                                                                                        MD5:44572E361C8A5D83D3F88FBF26678CB6
                                                                                                                                                                                                                                        SHA1:F675826057A670E24787C1AF8FD1DDE7095512FE
                                                                                                                                                                                                                                        SHA-256:8FA8A85424521011BEFF1A943D6B43DBF4C1919F64059ABBAD713959AA1CBF78
                                                                                                                                                                                                                                        SHA-512:F1F6F2C953BBD277042FD20665F9F0D10C0FF8BDB3E126436CEFC7D5B425171DDF52F671E38F901622056DFD5E2E49D455963C1687EBA63C3ED30FF2FFFD3F7D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.203459095547969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:DRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhS:d9XeDmzV2yzlhKLFU1lLVp1+2flYFnQ7
                                                                                                                                                                                                                                        MD5:93E80E2402F809533066A5CFAB1A036D
                                                                                                                                                                                                                                        SHA1:E687A74691A96C38AF2C002ED084EA3989EE62F1
                                                                                                                                                                                                                                        SHA-256:34EC376EADB8E017FABE9DBEA7044BFC09C2CC6DB606DB8B92CEFD4A2128FD05
                                                                                                                                                                                                                                        SHA-512:01BC86EF55526457AF49526E9C85EA140C4E053A5463C3293109F14780DE37DA4929D3727407243DC1101CEC03F402D219F0E088BF21B194FB327340A7075710
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96296
                                                                                                                                                                                                                                        Entropy (8bit):5.633445559193163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:N2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJE:eQmyxL2L4D+YZL2X7SAaqywjhkWeE
                                                                                                                                                                                                                                        MD5:C761AE0EFFEBBC19712FF0AFA47CE0DE
                                                                                                                                                                                                                                        SHA1:97F433BEF7A8B99A9AA7AE9FDB3AD6EB1D106390
                                                                                                                                                                                                                                        SHA-256:12827A7383B15852EE8FF708877362C8BF576F44FDAE4E6FF9A9B1690D683328
                                                                                                                                                                                                                                        SHA-512:707BFB532BA8F997F5D2469ED11028666AF64044D179C083C71A14FE8A54E9368C6D69882D1E512CDC44EC792761D0CFD4EE5152B010F691F5E493FC0BB6C36E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ..............................d'....@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):386600
                                                                                                                                                                                                                                        Entropy (8bit):6.135834446764712
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:9sETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEyk:9sbZnMfwWFKFrrWa8BvEyk
                                                                                                                                                                                                                                        MD5:CEC5B94BA8647554464BB8E6923BCEE9
                                                                                                                                                                                                                                        SHA1:4CF191F4477CF7B82ACC4405DE4CB558AEA668B1
                                                                                                                                                                                                                                        SHA-256:624AA1E6343CE9310389307B612D40EEBD6B04E24123E4190D1DACF521FC11A3
                                                                                                                                                                                                                                        SHA-512:1061BFA98B472B6999420B77728084C1281872687AE90687C01F3077FEB2272BC42153592D72D6B8D618C70C7D0240D9558B5D6EBAF838EF05BBEA67FC0FF18E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ...........`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.835638359040336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZN9VWhX3WseNyb8E9VF6IYijSJIVxF5WBL0:rGZmEpYi60C0
                                                                                                                                                                                                                                        MD5:9FB340DC924069CCBDB4A53109680505
                                                                                                                                                                                                                                        SHA1:1F5F1A7A81991852931399A0E11458C8F1B86627
                                                                                                                                                                                                                                        SHA-256:4A53EBD4A61DCA9EB0F46625701BF9C1720A2AA4BE23EA1BFFEB9CC0D24334A9
                                                                                                                                                                                                                                        SHA-512:9BF44EF2319E0C3C50803EEE5066852323C931864C1241E77AC5A0ADA18D70B5C7734776C085C7D7D265771F81DE324F2332D91DE67AADEB858628AC2227C2F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ...............................Y....@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168725098420968
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTF:sDMUWITZznu85k8Wdn8KmCjIFi3Vv5
                                                                                                                                                                                                                                        MD5:6F8BEC6FACB3F7CCB38397B08590A196
                                                                                                                                                                                                                                        SHA1:1EA9953A3876025FC40EC7F58F6EB5ECB469951C
                                                                                                                                                                                                                                        SHA-256:8A14F59A3E963DBCAAF23706C91F02A390D68425FD160745174FB847FE750BE1
                                                                                                                                                                                                                                        SHA-512:4CE87BCB73E960626A553FD3E162E23B3C054E46740DAF198898ED79C4B3FC6720AC1CA1E8AB3CFBB3D43F1036AE4331B9069730A9B165DD2BC2C87A014E47B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......>....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883752
                                                                                                                                                                                                                                        Entropy (8bit):6.071468980672946
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:h1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ/:h1n1p9LdRN39aQZUqm
                                                                                                                                                                                                                                        MD5:29DCD9B065CFB49C8E52C930F7F4CE09
                                                                                                                                                                                                                                        SHA1:768CCADA86D84899E458221931EF08DFFF18D4DD
                                                                                                                                                                                                                                        SHA-256:1B6A5C03895D4722AE6A575B45564BAC1F6B7C63A8B3317CDA7048F868BBE8BD
                                                                                                                                                                                                                                        SHA-512:2C620A2E6003DCF311F40C8CA4AADBEFD572E1A20C7ED323AE738C9C23F20267F66DB0CA61A9796F45198C137404468A71EC7D7DE0F5A947B8B0BF0A6159C439
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960227950500775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:YBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUJ+t:YBA/ZTvQD0XY0AJBSjRlXP36RMGvt
                                                                                                                                                                                                                                        MD5:9793A92CB1C1C940989601DEE0F0DBCF
                                                                                                                                                                                                                                        SHA1:958BA5FC0E03CCB502566A66C41F8AD5E38890D9
                                                                                                                                                                                                                                        SHA-256:B9E1C3B969F7D54FA8830E83AA3B5A53B8016D3F69CCDEF55BA730ACBE63E844
                                                                                                                                                                                                                                        SHA-512:0BF96E24288878A5A8554CE7FEB8988CB9CC9447E7734CA0AC44B973F0A49B54C4AC254743AE2FEE31AB7C8B4C21952AC1E3AACE43063D54C80A7DD174BEC3E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......g<....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285736
                                                                                                                                                                                                                                        Entropy (8bit):6.18456718086945
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:DZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zvH:DZU0BJwuOcrl1w7HX3HWi
                                                                                                                                                                                                                                        MD5:2D9C14E9D5F1DD0D6F4561AFE4EFB117
                                                                                                                                                                                                                                        SHA1:C35DE5E2080905AC3E1E488A7438D97D1DBAB813
                                                                                                                                                                                                                                        SHA-256:92C283F20DFE5948DF55FE662EFFCAE4C29796EA30619EA5680565D7ACD232DE
                                                                                                                                                                                                                                        SHA-512:FF68BA66200A352E2A342C4302C863C08D19BF697A3AFF12104C396F17BE19720E9EFA2CF6ECB639FCAD24E96429AB2269AFE3962C76CE781F14526B08DD13E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ...............................9....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.559882733809932
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3AQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxstR:k1LOg3BtNbEpYi60C
                                                                                                                                                                                                                                        MD5:DCFD01239E8A7F23790A7101DA676EF0
                                                                                                                                                                                                                                        SHA1:DD4634C7D293365B988B94E90A6D3D5870C1B943
                                                                                                                                                                                                                                        SHA-256:276C6EF4FAB5412DD3CD67B02D109F1F17CD095EF76A759E57CBFD90721558CC
                                                                                                                                                                                                                                        SHA-512:E77FBB7077283EBE3E1438A7EB318EF377EA13009898C486035A0A453A9ECB56E93728E91983A848B12D1D2FAC38581DFB08E424831A7F6A6FBAB305EC4CF891
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2029
                                                                                                                                                                                                                                        Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                        MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                        SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                        SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                        SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):210984
                                                                                                                                                                                                                                        Entropy (8bit):5.347926641317825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:asMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7w:vMNkrE4AOqcIzQijLW
                                                                                                                                                                                                                                        MD5:D62F66067037F0A886F49623432A910C
                                                                                                                                                                                                                                        SHA1:1B004247986129E223012CD0EB4102EC09261EF1
                                                                                                                                                                                                                                        SHA-256:EC905D40CCA16B8541361CE8B46AED84696D7AC058B24CAFA05C537D122D6C20
                                                                                                                                                                                                                                        SHA-512:CD041171004B2D4CDB5C9F403EA7A1ECEE251386C8D558A8DE9D8D3DCFC5A0E91F4756DE3BEE113E50DC3D72434A8BF0E2427A92EB3E7E54DF60A7934C5BD375
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`............`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19433
                                                                                                                                                                                                                                        Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                        MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                        SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                        SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                        SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284200
                                                                                                                                                                                                                                        Entropy (8bit):6.116883944959782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:9ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHh:Pgo0WPVTXgB
                                                                                                                                                                                                                                        MD5:B3A083FF4CBA132ED396B4065F8DB23A
                                                                                                                                                                                                                                        SHA1:8419F4EAE5F93791B80B978442F38821840049E5
                                                                                                                                                                                                                                        SHA-256:ED7D1084B55D98E76DC0D179ABDB9E709E9F0620B7E2DD9BE0642087F2238A9D
                                                                                                                                                                                                                                        SHA-512:AA05ACCCB10FDC132C124AC97FA85FED063065E26EA019A3914C778094BD361197D9949D3ABCCAE9A106B857C22838BFC6D4DC493698A3C9BD061C38417D0500
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................e.....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.80745185498431
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sDNxWQFWsoNyb8E9VF6IYijSJIVx5+zULOj:sDNVLAEpYi603L6
                                                                                                                                                                                                                                        MD5:5EA678C775885C4D41D2B8085D6C1329
                                                                                                                                                                                                                                        SHA1:DDEE62213D83D36761CD4753C817B7F532C90FDB
                                                                                                                                                                                                                                        SHA-256:511AFD4967D12F4BC7C372E06805CA25F10EA8C150485A4AAC7EEF34AD96FFEE
                                                                                                                                                                                                                                        SHA-512:A9E2AD6546E116B7F5251219B1490309E2DBC4A85609DC3F4F6CD3A74A0810E7D3C139435F3ADF4852C5154B30850ACF3F968176FCEBB7F98B4953EE9C42781E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ....................................@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.67025116344336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxACSA0:8rMcXP64LEpYi60x0
                                                                                                                                                                                                                                        MD5:5448F30F77E8AC70F71ADE83B18472C4
                                                                                                                                                                                                                                        SHA1:5D9FAD6ED586ED5C4CB5A2A97742A318338D9643
                                                                                                                                                                                                                                        SHA-256:B686492BF626005C95E06D535F2EC57C5ECD4ABB57039148223B4C4BB58857C9
                                                                                                                                                                                                                                        SHA-512:FB99BE04C6D4A2717C9779E616064656D52EBB007F1BF590894E4A54D1DFEE483A659416CFDB9F2F4A57E93F66C0793690DEBD63181BDEB0FDF8B4DD44D39BD9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................]G....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.903910775953741
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Cm2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT89oZ:qtaJEpYi60w9k
                                                                                                                                                                                                                                        MD5:73960FEC696D77048AD18D7A7E17E3D2
                                                                                                                                                                                                                                        SHA1:4B48B936F15CB825801C0A0D610C72C932BC03FF
                                                                                                                                                                                                                                        SHA-256:C07895B715613D99E0C06C8B6EA878583449B63D79FC70C6EA18A433CD97CE74
                                                                                                                                                                                                                                        SHA-512:D248679A2DC44E1958007999CCBCE907EF5191534821C2E4FE65F75E2DC2794B87CA8978FF3EAE89504193A72DBE9099E2B4FD7A799216729CA12FAD3EFAF13B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................2.....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.9013060612731305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Anapn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKfFx:LDur5NEpYi600Mj
                                                                                                                                                                                                                                        MD5:D9B7F97B00C1019C0A658A8FD61D23AB
                                                                                                                                                                                                                                        SHA1:7436FD8F1295B94C9D4CACC0CD749214C5EFF9F7
                                                                                                                                                                                                                                        SHA-256:B0277FDF71A7A354DB40AE7B893935B1F1125D07A669EBA161402C1840D8760A
                                                                                                                                                                                                                                        SHA-512:253F0D268C6665B2B4FC10B4B69A02C0D09AFCBDC77261903D44F0BCF8084715977A4A955B8DB1FD0C465619ADC6491D377E9A4A718DEE21FA46CDF133BC3215
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................4....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.905254064531646
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2HLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3wh:fPv5t/NOOMEpYi608o
                                                                                                                                                                                                                                        MD5:86DE589411D424DEAA6D93BA307F47D9
                                                                                                                                                                                                                                        SHA1:72F0DABE9E80E99FE6790038DB65B7A0F72BED79
                                                                                                                                                                                                                                        SHA-256:E598151F3E78C3FFC0BA5545EB5940958647E8BF602E63ECF827215847FEAA93
                                                                                                                                                                                                                                        SHA-512:DAED170855C06AF14E8051F41E6A4ED75476F573FCE0D45119DCB74209E5A9092DB4BE7FBCA63CAEADBA835E79C420C6E1F942F608CC55A07DF85C6B9D823E34
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................!....@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.761212536405013
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:o6iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQpgu:yiAuEEpYi609mz
                                                                                                                                                                                                                                        MD5:45B171668A91DE91B8D8A967BDED3496
                                                                                                                                                                                                                                        SHA1:DC3CD286C8F6DBFC029D51B25D956751CA389702
                                                                                                                                                                                                                                        SHA-256:D37F94141FE5571E05C030DD509EADCA179262C73858301433CD7D503CBE8E83
                                                                                                                                                                                                                                        SHA-512:21D79E9D2DC5CB67D8ECDBB07181C7089C44CF050EEBA59923CFDC2615FA0AD86B2393DD4A32E94CC8ED3C2D84A54B646AB19753B433C4E8054E182398C89388
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...................................@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.812043678321715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6nzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1JGol:cpui4EpYi6071
                                                                                                                                                                                                                                        MD5:375A112E4A1B5F4267B87BFDA94DEC93
                                                                                                                                                                                                                                        SHA1:90CFAD6CB9D87089D904ACFCD06C2D2EFA531BD9
                                                                                                                                                                                                                                        SHA-256:7F6657438DF669688C5A9992E0F08CBC724D560FD551C72208EA45853F0F27D2
                                                                                                                                                                                                                                        SHA-512:AA66316049E361456FECEF59BE755D9B827EC3620A9B131B8E186264EFA824A878071E90DC7C0D7AFDC4E3D75E113A97777BFABBE534F26702D4668E262E38FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.859299181620408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:aaGhr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVUCn3:qkmcvEpYi60p3
                                                                                                                                                                                                                                        MD5:B5A8331889DCD73D358F868F5010A716
                                                                                                                                                                                                                                        SHA1:BBFA855EFC2C8773B25531AB9BB9FE0524E244E0
                                                                                                                                                                                                                                        SHA-256:D28856D3150D49263D128FE64C01837C75AEE8994EA8AB2B2E98B8DE6CD0608D
                                                                                                                                                                                                                                        SHA-512:B5DBE05967C4CB8971A7431C6943ADAAAA8292314316B6462D44098BA7A02E23C7E382861023E1FEF30298D956A7382CDCCA74C4A69677D7FB70111CBCF6DFCC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ....................................@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.788309691299651
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4X9bS:dS9b2yEpYi60Yw
                                                                                                                                                                                                                                        MD5:42128F9EF34A6A9C41BC3714F2420AE9
                                                                                                                                                                                                                                        SHA1:2A8B7590921D91998A9848E679A87A4966A22CBB
                                                                                                                                                                                                                                        SHA-256:AC30A3D9A14A3FEC5C77D26ABEE4AB5A01F0294ED37B10EB5AFEF7BDE35F4D10
                                                                                                                                                                                                                                        SHA-512:4A563AB4FFD79539BE42D670448699353E55F6179B64C487AB4726F6DA7B60419594C8EA2DEFCC9133D398A61FD60968D2992C9449CE0CEC522F80A876342BAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.846804915804514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcLhE:U998yEpYi60z
                                                                                                                                                                                                                                        MD5:3FA1361360EEAFD4AA600D782C5B95FB
                                                                                                                                                                                                                                        SHA1:807E972A8BDD373A6775BD51C6E2707700656262
                                                                                                                                                                                                                                        SHA-256:19C32753A9AD183D97039C7600F261A049FF05D33F285D114D00A7D2F254D7A3
                                                                                                                                                                                                                                        SHA-512:D0228F30D6E4E7D6C55715EB3B595FF5272C94B77A367BFEA2B20375A937690D1B473E3641107D573DD5563A0CAD91097ADBD104E8D6ED5953AB683092BF4554
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.848936370515642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+tlI7u2:W7icodEpYi60u872
                                                                                                                                                                                                                                        MD5:D4623C9E4AB0B90AD818A5138809851E
                                                                                                                                                                                                                                        SHA1:83F1FA87D111CC2546BC697BFC54DB102A0F1FC3
                                                                                                                                                                                                                                        SHA-256:415EC56DB96E1C881D0A625D8D5BD8443F32F746B879F3A4112477AD6F877569
                                                                                                                                                                                                                                        SHA-512:0C8FA761E6F84CC0BC334682840B6D19A7F868901B678E79FCA2F49616E1BD75BA9FEFCC6D62BA0F39CE65E91A73E2392DB121F6499E01B5E54E3FBD831FABA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... .............................._.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148520
                                                                                                                                                                                                                                        Entropy (8bit):5.418030897059376
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:AdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CSR:y+2jv1x0ebezWiup
                                                                                                                                                                                                                                        MD5:C30F65C0031BF764B2DDAC10CD631AA4
                                                                                                                                                                                                                                        SHA1:3B2C305596D50E79FFBB879277AB8C821F888574
                                                                                                                                                                                                                                        SHA-256:CEF99EA049507B57C9AB0D99EEF234CD868B79AD8B36A569ED95A0DD95468938
                                                                                                                                                                                                                                        SHA-512:639AF84758EFFF76228D28B81BF3AA87E29A9A44481EB2CED28B159AD0CDCBB0C7B4D9EE8358287E29F89B5E96AE910A06221AE6DC013D7CB6C7C3C65B679FB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................*....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.809826405533208
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jzNnzx7FWjYW5mPVNyby2sE9jBF6IYiYF85S35IVnxGUHF8oymi9LJxz:/RtRWjYWw9Nyb8E9VF6IYijSJIVxIhxz
                                                                                                                                                                                                                                        MD5:03632BEE2A8C4399C7A6638E77B7BDF5
                                                                                                                                                                                                                                        SHA1:29D83EED2A94F58D7B9D5D9993E305111B3F9458
                                                                                                                                                                                                                                        SHA-256:B4326EDB65AF72D07E07BEFCCE899F940AC28F2AA3E0B83130722A263B8F7376
                                                                                                                                                                                                                                        SHA-512:B1408BE605FDA4B7FFF8E911C01AB0BCC60E084B9C99D366388A13875B1F080FC3812205DA14A24A6E777EFC83EA19832CBB85E38BF6CBA40E28CFFE049EC8BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................%.....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8927438121416635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:peWnoW7zNyb8E9VF6IYijSJIVxG1+MsaR:pnJvEpYi601MJ
                                                                                                                                                                                                                                        MD5:F37DE5A355ED1ABC75C046F27BC2F4B1
                                                                                                                                                                                                                                        SHA1:C972C7CBC306499908E10E2482D862871D8C716B
                                                                                                                                                                                                                                        SHA-256:CCA3B1E53F1423D56CDED1D310B473989C38E342F6345B46E96409CAAA647740
                                                                                                                                                                                                                                        SHA-512:4A023C1226026B26C9FCD701BDFE2E1672D43B513D4E0F5602B71CB0C96C305F8B46AD8A28C33694890FB0AC4F753D460841B04549A4B39FEE4CB3C17838C03F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................zH....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99368
                                                                                                                                                                                                                                        Entropy (8bit):6.236464835220594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:qgDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD7633My:9itRK/XIgIZAXjD96WfLtGdM5baDw
                                                                                                                                                                                                                                        MD5:0A8B3D6653A19A29D8C8F2A5A50386D7
                                                                                                                                                                                                                                        SHA1:86380F961B9328B5FFC631BDD71A391A5864D35D
                                                                                                                                                                                                                                        SHA-256:8D99AF407453D0A0C9866C3354853973DAE96E2F57809EBB80420CF024B4CD7F
                                                                                                                                                                                                                                        SHA-512:D4E8F91BB41874F19F91A39BC6C2E0EEFFE4459502E9A1C96149F96B0D8E6D28E176C589BDB70EEE8A3993A0D14AF4047519616448B9B43C1394276C6F331B9F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ..............................n.....`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.853023049206083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:E6oWJjWN3Nyb8E9VF6IYijSJIVxukXvjY:E6vk7EpYi60h7Y
                                                                                                                                                                                                                                        MD5:A906375106043CAEFDE3976F6C8AB9D4
                                                                                                                                                                                                                                        SHA1:6204B5F51841B7AE4495A51FACD85F297FF97C10
                                                                                                                                                                                                                                        SHA-256:37F3C382C8AB3940133B5ABA569EE4AB19FEB812A84DC6FB375E5C73DD5793EF
                                                                                                                                                                                                                                        SHA-512:5F2901F3CE2F8AA40236C5830544A18D32FB92DFBDE51D43531F966F46E61597A31CB59C3434DDB01D10D5F715DD74923A174A51C9BBC86E227D3F18778BAD1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777238182826117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjYCFe:yqk53MmSEpYi600ke
                                                                                                                                                                                                                                        MD5:CEA95C8FE05E4AC7F101EEE6F3DA67E9
                                                                                                                                                                                                                                        SHA1:75388B7B7EC97F278AE11AB1B9143A8F47D2148E
                                                                                                                                                                                                                                        SHA-256:0942BC5F9434099E8AEF7C512589990F553E58F4CBF4C603ECA1DBD68A44A805
                                                                                                                                                                                                                                        SHA-512:5B2E070E6CDEF67712D04F9FED6232E1BACC9FCBEEDEAAF8422A107DCC53AFA74D3446AA70901792034673F3ED61E8EA85135A95779B225500289376817893E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ..............................e.....@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.660095127054316
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwO0taA:wCcyCrSEpYi60A7
                                                                                                                                                                                                                                        MD5:614FD8917DDAAAE2CBF088758C73914B
                                                                                                                                                                                                                                        SHA1:C379035B13A5D070B4A943EBB8BB01EE543674C7
                                                                                                                                                                                                                                        SHA-256:EDD5EA3BF48C308839100BF8E3FECD0ABD0946D6A0DEC23AF945C613AA06743A
                                                                                                                                                                                                                                        SHA-512:365B2E6A664B550E74316A7EF6F57ABAF93A599792B7E4C3643EF5FDE4E20A4FCDB1D0F0753F6D4E178897EA2A802D85007408AA13439C2D0DF1B118341EB962
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ...................................@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.872731468371506
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GlTx93aWxMW5XPqNyby2sE9jBF6IYiYF85S35IVnxGUHFwPtr06Um:uAWxMWxiNyb8E9VF6IYijSJIVxMPtrxr
                                                                                                                                                                                                                                        MD5:93711124171608F9B42E4B2181484D43
                                                                                                                                                                                                                                        SHA1:E2904EBF5CF652EB87B6AA095CB33F830A506916
                                                                                                                                                                                                                                        SHA-256:CE38259EB6E894014FCF7B86F378F80181C54AC66DB0B6AB50747F7EE1801723
                                                                                                                                                                                                                                        SHA-512:7A309EC9697E31441AE05CEA45454ECC62E6CB09059E033E73751695A24C5BCF3C37494DAD56FE6A1E376FD9E14AB5D6DB259FE5C412E9C99433D1C2ED19980E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854587687942687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7YqArxbYWHaW5oPINyby2sE9jBF6IYiYF85S35IVnxGUHF2zfxGoKDM3W:TAlcWHaWOQNyb8E9VF6IYijSJIVxyo/N
                                                                                                                                                                                                                                        MD5:DDAFBA73BDD9BB3E0FB95B743D55CB3E
                                                                                                                                                                                                                                        SHA1:17622DE666A4F3A926F6999D6FF0813A0F0E9788
                                                                                                                                                                                                                                        SHA-256:F955DDF9ED01345FFCD404F723407EB610BBB6BF38BB105D4FEF37B15C27E0C4
                                                                                                                                                                                                                                        SHA-512:C3BBC2D177E750BE5BEED95A49D32653919F02F583BD239E0BD3D5E94AA3E916768E0F3295DBDB223144673A5A58CD19FA59B627C9E556CFFDE273968D898666
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.774908284976976
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zeIZnWlNWTaNyb8E9VF6IYijSJIVxpcstD0nX:iUyo6EpYi60PonX
                                                                                                                                                                                                                                        MD5:332CBA66AF5A16D8B1B987CCC925F190
                                                                                                                                                                                                                                        SHA1:8C884DDEFC71B1B86321D77D8D191A9B8E3D5066
                                                                                                                                                                                                                                        SHA-256:DF7D583A05D06A5CD414A9850A14052F27164BF878FD0AD915B4BE0FCB996220
                                                                                                                                                                                                                                        SHA-512:B9B384FFB78DD18530E50F46FE07A615E2E8733AF5153EB40751C8C444E3EDD24C7B13EC22D39D82A7840F53E86C5F713D1B05B9F05F39884E9EB26295E45175
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................G.....@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.493960742291261
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF61:gQq33333333kX+TBi8OGEpYi60/o
                                                                                                                                                                                                                                        MD5:422211D2F5D7ED59687A37ECE190DDF6
                                                                                                                                                                                                                                        SHA1:E4BE0F7A07DB68D8E43AEC62922C4DDD2F60AB4F
                                                                                                                                                                                                                                        SHA-256:642CF9972708FCA429C836F717FBB3FD9C75369B662FA5D8A71D34A9A91DC304
                                                                                                                                                                                                                                        SHA-512:3157502CBD89ADD0AFFC1D90D47E76BD9B676D5A91F9E47E9606B39E31D016F3CE91C4D74755927C805353256C514E66259E4E11798E9F724F2BE3A3E8918DB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................DM....@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.849868448509138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:028YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9Pg:00qX2EpYi60p
                                                                                                                                                                                                                                        MD5:CB32C6061E26B386584BD9CB8937DD9F
                                                                                                                                                                                                                                        SHA1:B09E73D9C57310B7BF39F2B7B763EBECF9EFF305
                                                                                                                                                                                                                                        SHA-256:97A015EED33967F01157B982FC96ABCBA333191DFB97B793397EEA9CB1BA2B06
                                                                                                                                                                                                                                        SHA-512:8CC362FC3FD0BCE42AD3E4F22B538E7B9B377C63CE992F30C0559BF1AEBB63701AE36CC76054DF9C0358E451A0E22DFB7C081C8465576B327040F42E932DF4E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................7.....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.724457027062359
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ruMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3g5:6OcSpS2EpYi60I
                                                                                                                                                                                                                                        MD5:0749DE023247060FA69D5005B72D05F5
                                                                                                                                                                                                                                        SHA1:BCD4585CFADD7A3256D079DBB7377562E960A734
                                                                                                                                                                                                                                        SHA-256:F0F2AA6075B738A8895C69713DCC754505E273665A0559BE5F9C06DCB21A3E04
                                                                                                                                                                                                                                        SHA-512:620738F6725672A0BC54D57FDE5D594108AC24AE5C8C743E8C15E18FC84A2170608926576C4C0A51E606DDA9BBA6586EB34AFBDA2A35E1479F1DF6B421000306
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ...............................O....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.814273587968228
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaIo6:09qKqjqjuq5kEpYi60C6
                                                                                                                                                                                                                                        MD5:8D2C2CD9B68FF4ACEE1FB4C2834F3B5E
                                                                                                                                                                                                                                        SHA1:66913E4F8AA71EA16BDCCEC87A832AD850D1C9C0
                                                                                                                                                                                                                                        SHA-256:DEEF6D89C2DBE482F43CE4BA7B242660D9565810BB1FCBC2D8A37D8E88090F14
                                                                                                                                                                                                                                        SHA-512:CA27C949CD9A3F0BE7CBFB0D8C82AF3F5FC552F5DBF1F84AB5DF25FCCFA0917D23955D92E64D5C7977FE26D37555107CC8FD7EB3834080DE0C5667419076298B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................7y....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20008
                                                                                                                                                                                                                                        Entropy (8bit):6.625657997130846
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3xH:evMhF2SzNzwu/NljuQmEpYi60B
                                                                                                                                                                                                                                        MD5:47C3B21FFC0966C506F850F723D358D0
                                                                                                                                                                                                                                        SHA1:033F53B07F6F3D17BEDEF483B251DFA41EE3258F
                                                                                                                                                                                                                                        SHA-256:A53DFA563B37E80C35B139F60B86231F66A64BD3856ECC3A00732C2EE1DB84C5
                                                                                                                                                                                                                                        SHA-512:8FE75506398A62EBA831331BFED8F32C84BC6F4641D6DE6C98F6152BC8CD1AFB3B3C0AA6A49F803791D3989700C99C5EC511584ABD0112B239D35B56687C0C8A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.899758032838543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LZ4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlyFG:LZK0pJuImEpYi60o0
                                                                                                                                                                                                                                        MD5:88B0416D84AC74BBE8FD5A5A4CF0A0E6
                                                                                                                                                                                                                                        SHA1:0D158BA1BAA4F015ED81F70196F132F5E3FD08C5
                                                                                                                                                                                                                                        SHA-256:983A680ECC3A12546900C6882115AF8C83E534BA238A329C221001294447EE4F
                                                                                                                                                                                                                                        SHA-512:1893D52DD0E8C8D2A9DBA073D6888DA0972AB9C067C20F061CE8F2988B4A416E2C1763F6959AAE4BEB9D7B0B4FC46CC9DF44F619838FB6120CEB87D41D48B1AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...................................@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.797577854527455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:2Fx+WTIEfW5uP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFz9ZIQOoz:2YWsmWIyNyb8E9VF6IYijSJIVx39mBe
                                                                                                                                                                                                                                        MD5:2857137B07AE003E4409FF3C2877BF8D
                                                                                                                                                                                                                                        SHA1:91968C48E06B6F971A6B53C98BC280441381870F
                                                                                                                                                                                                                                        SHA-256:614777135464E413B1B6F8F5C408B43E6E5247F412DD49DDC1BCB9869F861857
                                                                                                                                                                                                                                        SHA-512:7C9C7D880BDBAEB2F26CAE0F060C525D21041442159EE0C4AF3B1398BED0B04525095E1367C559DA8A4D363DF10245E80C9DD2D15E38B902B41D295713B3BEF9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................(....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105000
                                                                                                                                                                                                                                        Entropy (8bit):6.382210592092604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:0vc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA76s:0gk1tiLMYiDFvxqrWDWNoJXBAv
                                                                                                                                                                                                                                        MD5:A0829359A62989682E11D24CC4EBF6D1
                                                                                                                                                                                                                                        SHA1:C88788DC49E75E7749EBAFBD7F4DDF98C0D1A242
                                                                                                                                                                                                                                        SHA-256:7EFCC3AC0DD72EF7C16D28B1359F1FDD68980279FFAA3BAE604190DDE2609248
                                                                                                                                                                                                                                        SHA-512:C9218E628DD1102A283A3C24EF480BCEA55EAECF603C1292387A8CD798DC9DF329A64C3B1AB423364CFA8A5168CE4A9DBCB7C6D6A836AC252A504AD888AF8FB0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................S.....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854418584832598
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xKcuz1W1cWliNyb8E9VF6IYijSJIVxLnFbY:Lu8niEpYi60bm
                                                                                                                                                                                                                                        MD5:D3F7B9A0B11352E419B1CDBCF83015E7
                                                                                                                                                                                                                                        SHA1:12C4D615CC63861DCD6F36E142D61C2BC78A5845
                                                                                                                                                                                                                                        SHA-256:B0B8B8A3C2EE091A771B4B2C845253D40D649405A078BEC4FD52017288B44B68
                                                                                                                                                                                                                                        SHA-512:ADC3092DE4F50DA7E5786DF6DD7A083A4C7B96DE3C2208A2C08EA9F4D670D6F2450CBE3EFCD11CBEBAB858D3CCA921B8A6B3DA9702416FDA87AAEC60246576D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8598164148424745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w+SWikW0uNyb8E9VF6IYijSJIVxAd5qIAl:w+eGWEpYi60CWl
                                                                                                                                                                                                                                        MD5:AE3A14237FFFAA2318D5C49B9D25384A
                                                                                                                                                                                                                                        SHA1:C60BF9017A83802D6F30F67C10F3F359862F94AF
                                                                                                                                                                                                                                        SHA-256:877A64788C32983750F89E1069E80F18B5E8CA1503BDD133E49166476BAB8AF4
                                                                                                                                                                                                                                        SHA-512:0E0AEC9F717C61853877B2EAAB58BC74C07EA8B65920E80A97F0B2E8B5B8723457E9B6EFD965E25DCFCD93C006371680579B455CE2646A852D153AB104210A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................|....@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.906965523502173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am92w:8AWzgWSsNyb8E9VF6IYijSJIVxXfw
                                                                                                                                                                                                                                        MD5:8322245B353A448868701EB5CEFF0366
                                                                                                                                                                                                                                        SHA1:BB03ECD3AD48ED71DC2D74CBF294D106017A0C61
                                                                                                                                                                                                                                        SHA-256:08DD4875CE67D7DD68B8049A35C5D156ECF8E5E609147A64F42B543A8ED69850
                                                                                                                                                                                                                                        SHA-512:307A076DF0487DA10750C0C62FB17ABC4E528CBB98D5C63660DC7D9CD0728EAA58BEDE374BA96EB454FD1FA979AFD35C00F9472231DEDA8B0669392CF53658BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8644676373526705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JBLRWbYWziZNyb8E9VF6IYijSJIVx7cvS/:JB2xi9EpYi60Yq/
                                                                                                                                                                                                                                        MD5:F6EF07D79AFC7E675FA5EBDCC7D79B7F
                                                                                                                                                                                                                                        SHA1:9B554BD08408D81C7A1C8BF75BC3F14296B434FE
                                                                                                                                                                                                                                        SHA-256:C6BA6C36B72BB0958CB87F31688600C2BBB2C1BADB0F37A736FEA63EF1246D82
                                                                                                                                                                                                                                        SHA-512:785693D1EEF499896C92307D99B09B96C3003B44C8AB8A6309F4AAD11FCDE8E2E05ED473C4035EAA7895B2D65E705F12214DC8112865CB4F490538D0EE49F275
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851248772240086
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7ZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5yjfvu:nHW4/W1HNyb8E9VF6IYijSJIVx+ifm
                                                                                                                                                                                                                                        MD5:1674279C744E0AC92C37E8D628AFCC58
                                                                                                                                                                                                                                        SHA1:80BB542E1ACC2772680BCE8DA7877F2E30060964
                                                                                                                                                                                                                                        SHA-256:1826483303E6F886E4E7179FAD0B95992E626CDD0872EAA162F2F1290F752331
                                                                                                                                                                                                                                        SHA-512:4FA1EE9BB253447583021069AB844E0D99F5235BE33684E5F867EE51C171E0B2C0B0F43711525A554EE39A1414FE863CA8C32083608129B294654C35521FA58B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................X.....@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910107223210915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4vk7hWmCWKpNyb8E9VF6IYijSJIVxu4kG:4s7/GtEpYi609
                                                                                                                                                                                                                                        MD5:103C951C64757F344A50EEC3AB210780
                                                                                                                                                                                                                                        SHA1:3406E20443764E718D0AD3D0672575B0B514FCFF
                                                                                                                                                                                                                                        SHA-256:49EB49ABA189D221520F2CB0C86160BC917662FF2651CEEB8AF4B2155DE3EE99
                                                                                                                                                                                                                                        SHA-512:DB55DE900E686A43CC68A74B39D9FC48BC4CEF1B504622C6B9BD2687971E45EA689F33B034C1316247355BAB34F7113E6E67FC844922164303AB04E99F87E012
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.876264376456095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GUiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDCENuF:0GMWCUWiBNyb8E9VF6IYijSJIVxRFj
                                                                                                                                                                                                                                        MD5:C8207749CB8E4F9DE161977613BB707C
                                                                                                                                                                                                                                        SHA1:3FC2B5274331FD3029A6B406D2F9D78D2167F365
                                                                                                                                                                                                                                        SHA-256:C00FC1D2AF59900AAAC2B8F146519F19E4BAECDE6C2FFB570EB93F0429D67055
                                                                                                                                                                                                                                        SHA-512:3416C0FB1FCF6A647D62C0244B2A2825F91151706CA3D53C687CA6C7CE9B26CE278E752650BC5042368830FD8D89B76B0A40C22114FFB4CC15BFFC9137C5CD47
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................V.....@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8553217627762395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JBhwI7WSQWEQNyb8E9VF6IYijSJIVxCtgBo6:JDwIBSoEpYi60j
                                                                                                                                                                                                                                        MD5:24D56DB5DDD0839D6A08D68D754B2F5D
                                                                                                                                                                                                                                        SHA1:1E6BCCAC0382417F04B829FC9F64E1988715620A
                                                                                                                                                                                                                                        SHA-256:F8EFFD4778723BD663AC172C09DAEAC2F55727F9865F4D204D275B7A2828907D
                                                                                                                                                                                                                                        SHA-512:B05261B53928A15E38DDB74BEA54FEC7BE183AAAE62BAED261D16FFCE4E63B7229B9940F6BDED12DBBE846B943D1106023C4BAF16D99E823842D9542B26D35F3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................T....@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.867317071449741
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9yvPRW4lWvKNyb8E9VF6IYijSJIVxnKW/0:E39oKEpYi6050
                                                                                                                                                                                                                                        MD5:E46BF127588B1650BC3567BEACCA140A
                                                                                                                                                                                                                                        SHA1:7517514337BF161472B69EDA4AC146F9ED7614AD
                                                                                                                                                                                                                                        SHA-256:99FA3FF2EB4780EE974A8746F740C5996F1045F96E7B84C0D64043133DE5F1CC
                                                                                                                                                                                                                                        SHA-512:2117C8CE58557196306E01EE3928DCD7C5F621EA363660519AE366D8D9B4DDF2A4E8DF008466416F5C3794B737C53BCD70BFA022196BD35976B063B53914C685
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.820108756272989
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:N6RW6eWX8Nyb8E9VF6IYijSJIVxiAAnvP:N67XcEpYi601AvP
                                                                                                                                                                                                                                        MD5:8474250197D87865E3B304FFCBB871F3
                                                                                                                                                                                                                                        SHA1:66F807BD06287AFC74D288568C2A7A0E8147B108
                                                                                                                                                                                                                                        SHA-256:5ED289F398B5C896E31D02DE4B488A244B791E6133390C13E18DCB70C8F7FADE
                                                                                                                                                                                                                                        SHA-512:0CA7CB50DA69876D3B1FE69A0A177C8DC75D4646DFA8BAABD4FF7D0AF35215B340B40C41F48655BDDB1F05EF5F7454CA03071B30492B0ABC2C32F09B98009686
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ...............................Y....@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852041615311748
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MSUP9W70WxhNyb8E9VF6IYijSJIVxu1cvO:pUe/lEpYi600D
                                                                                                                                                                                                                                        MD5:CB989B41B2BFDD3D28CCE8D0CDAFB396
                                                                                                                                                                                                                                        SHA1:461A0EC79CF28A3E1D1D0A2458918340230BD668
                                                                                                                                                                                                                                        SHA-256:A142F12BD409D63B0DE3AB42B3B609B2BF1A4919D88D8D127A3DF42BBE32344D
                                                                                                                                                                                                                                        SHA-512:7A866BB5CAC3B1BB68F417D2A1B08B3A8F25F615D48EB9564F538F602A21BEF3239E5E232B7895D54DAFA7A9B5ECDC226B318D97CE0427FCA3542CCA47AFFCFE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................YH....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851763577766904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:D8yg07W0/WtTNyb8E9VF6IYijSJIVx/omHC+GK:DBHEPEpYi60A7+5
                                                                                                                                                                                                                                        MD5:F48F964BF4CA09CE820025E8FB9FD286
                                                                                                                                                                                                                                        SHA1:2F0DCFEAEED5DA6B5A3EA412484CBDA1215097B5
                                                                                                                                                                                                                                        SHA-256:B917D1093FC62C8AC7F09C0C5F5F5D6B8819C514CEAE95F1DBCA1C0F6EF3E90F
                                                                                                                                                                                                                                        SHA-512:7220B4A0B5874F6AD2B23F60935CCE8BDA06071F4300678B644BD052E8569DEF5686DEF9EC98D9BEB8868C9C64C7F8BB8B1BF58341B007AB0CADF40C994C4975
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................8....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.81431788734543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qe1WmRWgFNyb8E9VF6IYijSJIVxaHgPEA:qejjBEpYi60kqEA
                                                                                                                                                                                                                                        MD5:21BEF3F4F15A1822C8FA427F40E2E79D
                                                                                                                                                                                                                                        SHA1:141C4EA316AB0545A466A0CA4C5F5062A0E0A68F
                                                                                                                                                                                                                                        SHA-256:BEF088DBBF9483B2548ED211FC1CE0FFA16AE4B91668186F31608E3FAA1E7FFB
                                                                                                                                                                                                                                        SHA-512:5A7BCE1DD016085FEB71B75324FBDC0A916A8146328CEA1A37A8941C368031C1C4DAFAD122276CA6044F66886454AEF2DBB6192BCF2BC861807BFDB3309385F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................J.....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.16075284902631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7UGrszKKLBFa9DvrJGeesIf3afNs2AldfIlq+:6BFd3/aFs2P
                                                                                                                                                                                                                                        MD5:FA5D0EC256AC2E57755EDCC47058A8A8
                                                                                                                                                                                                                                        SHA1:93061A3747CFBCAE4C5C5FFFDCF6546930CAB1BE
                                                                                                                                                                                                                                        SHA-256:7AE4AFC8B33E5E993C03C7725A8812576696B9B7C95F9D672F8F939174A41B89
                                                                                                                                                                                                                                        SHA-512:9455E1F16199FCA559F4B4FDAD752E565BE1F30005368FC22BAED4BF88341DC450AEE34D61D4B22B3AC2C44E418143433DC6855A121EB79E5D7F55CB2B927AFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......{D....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192552
                                                                                                                                                                                                                                        Entropy (8bit):6.11445818411225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:9eruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbb:YW60VcTvakcXcApOL
                                                                                                                                                                                                                                        MD5:1AB2879DB7DA24FAF99F379A67F6F730
                                                                                                                                                                                                                                        SHA1:AE8E5D2A16A5942B76F4F419A3237D9D12744BF6
                                                                                                                                                                                                                                        SHA-256:470915316E008128CA5270D2729B9B242B18AC867A9F89977205648E52C3CC89
                                                                                                                                                                                                                                        SHA-512:19176F685CBCEBCE0B2936D1C89776FBC9E8C676C3DD86D802AB6264ED05FC500925496827B1F0C591B23EF7B96CB52357E54EE406D218F95F11DDFF5FCE7362
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.834910700767253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:F6ZWYLWBwNyb8E9VF6IYijSJIVxNNLkjrl:F6l4IEpYi60Wx
                                                                                                                                                                                                                                        MD5:BEC6497FC12067E3DA1309AC1143B464
                                                                                                                                                                                                                                        SHA1:BEB2D6D9A556303DA98A3D316F873ED52B1264AC
                                                                                                                                                                                                                                        SHA-256:0A6A71480332A3B00B8FD30F78136E01F1D90E72FFF130B85B26F309CEAC9B75
                                                                                                                                                                                                                                        SHA-512:1DBA61D1F8011A9500125CA4E05F9D8F677C712AD4044F648718AD7FE42183F7292DD0952311AA1805699B3D19E37EBDB283B03FA979ECBBEF81AAEB66D722BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.791328656262828
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:41W1WMQWkMNyb8E9VF6IYijSJIVxuHYOj:j1yMEpYi60u1
                                                                                                                                                                                                                                        MD5:109F46F97EF7D2A7181E6ABBAD4C1A73
                                                                                                                                                                                                                                        SHA1:E91A52D5315AA20C244C7E604B5D0A20D2C54A97
                                                                                                                                                                                                                                        SHA-256:0C10372E5CF857E8752AA4799381311FA84C04C83CBBF7B8EA80361617771103
                                                                                                                                                                                                                                        SHA-512:388A28D9C85625EAC37C848F8CA5643ECB91D20823493BB4B4198AF143263749677040A40ECFFC97F4E6C6A94E8A76AC8F9172BD821C4EE9FAF3F5123D26C64A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................dY....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.832241980610204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:rQ/rx72WSKW5TPZNyby2sE9jBF6IYiYF85S35IVnxGUHFA/PLtL:0dSWSKW1BNyb8E9VF6IYijSJIVxsLtL
                                                                                                                                                                                                                                        MD5:991020E4E7768EFA290D127DC5D88C4D
                                                                                                                                                                                                                                        SHA1:CD1583C286DEA25E234B94F5D39CCB571A03D2AA
                                                                                                                                                                                                                                        SHA-256:375D1FD5653B2BB866435DCFCB9387D34E43A2A8C779FE17A6F7C42986EED973
                                                                                                                                                                                                                                        SHA-512:8754C64EEA0E131B90A16B261CB4AAFCEB7F663AD00E1CD6DC463CFEC7AFA3497B9756AA1B8947E3FDE8CEFC098BCCBC334B67633A34FF467F1EF10F4BA15C1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.744707960924502
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZz2C:xyYA8CqEpYi60+ZV
                                                                                                                                                                                                                                        MD5:609041C0188E3DF3A8742E479ECB3B48
                                                                                                                                                                                                                                        SHA1:A9D1FEFE61F6B91B9D87F775150119D0A3673886
                                                                                                                                                                                                                                        SHA-256:6DA72A845BED9581C538BAB8684C31BCA00B4DAA7EDBD7B5D3DD5F92C7F6C799
                                                                                                                                                                                                                                        SHA-512:C5D7AFCC83A6D145AD30D2D804562461E9E695AE93D1C4F05760EC0B7D316CA1998B1C4AB912E4039FB1ADAABB973FF559168F8EB2EDED3C58D6AF89DA5EE0E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................R.....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874085333467112
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Vl0qgopJ5xBcWe4W5JPwNyby2sE9jBF6IYiYF85S35IVnxGUHFVOEQkuNq:XJGWe4WTYNyb8E9VF6IYijSJIVx5OzQ
                                                                                                                                                                                                                                        MD5:ABD711617A4E2C64977A3ACE0123CC84
                                                                                                                                                                                                                                        SHA1:03188191D332E3222E1492CDEC32930A1D705C25
                                                                                                                                                                                                                                        SHA-256:633FC7289FACBD96052CB7A51303633FFBFAC2110A3C6101589E46D4A655B95A
                                                                                                                                                                                                                                        SHA-512:E1C5A8950DD581E301007F1BFCDAA483F607777FF0E648E38C3D478B033680661CC199A603D65F2D7D3B08695897026A36FAD9D1D3CBA3CA50D266569B2EB091
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.783878066091884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:adW1w3WesWn3Nyb8E9VF6IYijSJIVxV4yBM:P1wxd7EpYi60+MM
                                                                                                                                                                                                                                        MD5:7C34FE56430A8C273E6DC963445A13C6
                                                                                                                                                                                                                                        SHA1:999FDD2BB131DCB5882D6C6E5C53FF1946D1C3C2
                                                                                                                                                                                                                                        SHA-256:CB75C698D30AF2515BE2D804F5C99F6D00CA677861DD50D06527BAA178491622
                                                                                                                                                                                                                                        SHA-512:4623C99D59BCE3619CC473EBED84257BD96DE3BAC892DEC4668FA89E6FFDB3B6F40E0093D9CBC674913D396575ACD4424A13B729A6A6B8BC509D1C75D92DD1FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24616
                                                                                                                                                                                                                                        Entropy (8bit):6.595542177965201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9ylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VFN:9yp12Bhkg3qnV/srYEpYi60RZ
                                                                                                                                                                                                                                        MD5:2F2705A28E19293E2918EC4A3490B78F
                                                                                                                                                                                                                                        SHA1:7BC61FDDC75486A8383D94E7E624F479041010F2
                                                                                                                                                                                                                                        SHA-256:CB74B1AA7057AC369FB545CD0DF01AE8A76CD0650DC01F9DC2CEF980D7F9FDE1
                                                                                                                                                                                                                                        SHA-512:AA225660906EC89E5D1358A1CEAF661F89EA1FFE14CD6B69D86D7C9E7249E06854BCA3B228FB3053155A101BBBECBAA2843CB50BD23B41C8257C0E04D9B43EF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852674050741342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YHPAW1bWieNyb8E9VF6IYijSJIVxJ54bg:crTmEpYi60V
                                                                                                                                                                                                                                        MD5:08ACDBB77FAF00362B38EEE3B1021005
                                                                                                                                                                                                                                        SHA1:83C33BA5ED2FB016E78EC21EB9ADD43F7D3CD86A
                                                                                                                                                                                                                                        SHA-256:78E6E083FF2741E8DD6AD3CD22E857354BEE8CB943E1416309E63333F251C791
                                                                                                                                                                                                                                        SHA-512:B61F0473190AE6C221B78956A9AB76F93C96F9A8E5E79D1FD259862037193D871ECD4924ACA3B3449380013D572FE5EC3473E31CAACE37C4D0FE491B33063E6A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................-....@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8526653705597695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zNoqWD7WJlNyb8E9VF6IYijSJIVxeYzRisP:zNofwhEpYi60VosP
                                                                                                                                                                                                                                        MD5:94F84A310A3300FFE8047189F2A6CCBC
                                                                                                                                                                                                                                        SHA1:4CC23D897F9F90E36EDDF224E54D69AFCAD0F395
                                                                                                                                                                                                                                        SHA-256:E05FBD11DC5FEC61899019D7836396A7C025E0D4FCCD9A0EB5EAA91D834EFC73
                                                                                                                                                                                                                                        SHA-512:43FCB0E681225AEE222CCC1EA3FF63A6AA4DD141653C910D3AD40C638A6BBFA6E2C8406CCA01D4FC2CCDB7465B53D33ADCCCCE320AB6A15207FAC8580AA3045F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................cN....@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.864685620785427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GGETSAWUEWSWNyb8E9VF6IYijSJIVx6tEb7:sT18+EpYi60L7
                                                                                                                                                                                                                                        MD5:C0EB2AA399EC2C0D6ADB4EE6C5126636
                                                                                                                                                                                                                                        SHA1:EADC9C676E6408FBE7FAAB773E33702E894979E9
                                                                                                                                                                                                                                        SHA-256:50B1FA1556FA8989C11BE79BEDF036B883830E8454E4A4228A327122BCF6FBFF
                                                                                                                                                                                                                                        SHA-512:70A3DE2B1C4764A8871C00BC23CFCEB8C0CFDC4A9EA5AC66645CC339B655374A283BD2CFD9705472D61805370A5C8A3345E5B8557A6DB6D79049D709761F2204
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................".....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.51209301175418
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:uPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb767:uWw0SUUKBM8aOUiiGw7qa9tK/Ybs
                                                                                                                                                                                                                                        MD5:ECB5AAC58404396112B354062BF74337
                                                                                                                                                                                                                                        SHA1:C8B6C9CF0D7AC71BF12C2CA870BD329A4FEF71B8
                                                                                                                                                                                                                                        SHA-256:754A2559DCB18CC759A00E1DF30EC834FDC07DCBB781AB141643ADAA5E0D2C80
                                                                                                                                                                                                                                        SHA-512:DC36305F501A35467310D2820FD2AEA642779DF19EEFC084D01EEBE28AF2831A8B5589EFC0693EB662A7CCAD0942926A9D55347963CC771C0D0D09C2B95DB1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...............................%....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.849436982000894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZcDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4LsvqGQHU:ZPKBKnEpYi60NiGQHU
                                                                                                                                                                                                                                        MD5:3C31EE2B27F16A4B2452DCE791BD6F62
                                                                                                                                                                                                                                        SHA1:76DED6E5B11CB942BE9C4B87EF546071DD6F6AD1
                                                                                                                                                                                                                                        SHA-256:54ED63281C8D38FADFD8E7601782996FFBD9DAAD4C710E20C90F4E266C4C6F04
                                                                                                                                                                                                                                        SHA-512:56E6A7B7AC94493A86D68C35C910E92B895533AD694A416E3E6491E14AAA97491195A6C1D3F3DEB3C5A7CECEDFF4EA0EC65D495A65C652AF82F935F1F69122C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ..............................S.....@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.858418738536182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:t6NxhqWD4W5wP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFAyboMFHR:AIWD4WmiNyb8E9VF6IYijSJIVxM0nHR
                                                                                                                                                                                                                                        MD5:E404E9D0E1857318AD4555418621D2C3
                                                                                                                                                                                                                                        SHA1:2A3D60967A08001EFD9E0B2E32BC8E98127794A4
                                                                                                                                                                                                                                        SHA-256:202A54DF5243F3362BB4DA4C093654DEDE7F94E43B050E20FFB22291418E6E66
                                                                                                                                                                                                                                        SHA-512:7A02392420816325DB8930339255CEAF51C11C0AD03501CEA6F226F365740D2BB98C99AA05D04F5A4C4F239A77CC6B40A076BE093BE19C4A1E65A42231AF7C5E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................p....@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.7840723636197335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aW2KxVSWzQW5qPFNyby2sE9jBF6IYiYF85S35IVnxGUHFh/JZlGWxX5m:NMWzQWc9Nyb8E9VF6IYijSJIVxN/JvW
                                                                                                                                                                                                                                        MD5:5F1F5EC1E68D69D5C768D0A7707286E7
                                                                                                                                                                                                                                        SHA1:EEB435A9A79D06584231F4FD91734CFC94C351C2
                                                                                                                                                                                                                                        SHA-256:C9720AE379F8069952500F75C3191E311B1537D8515047B2236E9A5B35C60390
                                                                                                                                                                                                                                        SHA-512:4FE171C36EECADDFBE6B068326A05D7465BA8A6C4A81D2885D6BD94A628393006AF4CB15CB12AC04B6E8A42FBAEC73C1F43BA5A92180B3A109607CB47302A0F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................l?....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.72570998567299
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9xDHKWAMWcpNyb8E9VF6IYijSJIVxlPK0h:DD8GtEpYi60Vp
                                                                                                                                                                                                                                        MD5:6DC964E9A729F59D3F7ACDB9A27C9C45
                                                                                                                                                                                                                                        SHA1:8983467CABE35B6C46CFDE8E8EFD548BF498B061
                                                                                                                                                                                                                                        SHA-256:D4A35F9CB91B7910C8C247DD7A07BBAD7D625787B82C4117712BA9FEB6055912
                                                                                                                                                                                                                                        SHA-512:A0511371083A659F0B344DB5A92280E2B98CFDCFC9C4075F40E4DE295184DD189E22ED563D04D2EC547B4363549AAFC34E51F80B3D6621D0A449DD746A0C2C4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................l....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.831254121146028
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qeyOPx:qbMSXEpYi60pLx
                                                                                                                                                                                                                                        MD5:A2C4B2E2B08F80F9292FC60801A8C757
                                                                                                                                                                                                                                        SHA1:C058F7FB26416722F27C7AA50D9DBD53DB012C7B
                                                                                                                                                                                                                                        SHA-256:E9A7AC50555C363CF88675038991DF98D97B4E074F394A0496DCABC00D66770D
                                                                                                                                                                                                                                        SHA-512:58958CC25797272042659CD25F06C9211B164F2A522F03ED53B24B11357E0A5A6FF932A5F1C398AF223AFEBFF96F0623B5EBD70AC7EE0A42C21701658453A513
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.884487188270577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTWOr7o:numtEpYi60Wldo
                                                                                                                                                                                                                                        MD5:5DB94DA2D50F9660D9F749BE056434B6
                                                                                                                                                                                                                                        SHA1:4C1DAE91099886424AB3A813D44FBA6A636CF176
                                                                                                                                                                                                                                        SHA-256:30CAF11BCC29237D52C83374EE580F0FF4B7A9DCBF21CD75A1B17B2B11D7B2E8
                                                                                                                                                                                                                                        SHA-512:EABF9832024E1505CBC238D2F9D4A777CC6DF7797340EB25DE8DBEF7C4C4682A9502B143BEC3664643F3888647DA606D9A172B21D71DD478040D4F3A51B3732B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................FP....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8318443464700875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TLnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1ba7A+:TDf4ocEpYi60gb7+
                                                                                                                                                                                                                                        MD5:B78CE612B7E92466B36CDFF4431AD1A6
                                                                                                                                                                                                                                        SHA1:9248C5EB01AAD3AD4C12677EAF1BC2E4126B9738
                                                                                                                                                                                                                                        SHA-256:23436583765A3180081E2C6B96B8F177799A7AC2B1ECBEA226BC96D2EB04D0B9
                                                                                                                                                                                                                                        SHA-512:7F25F3DDDCC9A2633C6DCECBE0BD83BE6CC6827C760666DF766FE5F87F506BED6C94E6A301E4BA49F603F6858CB2F5DA4FF758DCB82E5D1AF250E005DA3D48A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................s....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.673296258904213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Dh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeB57c:Dy9gpEpYi60Ae
                                                                                                                                                                                                                                        MD5:3A0946ABA4AA0B0B5778A250F6ED27AC
                                                                                                                                                                                                                                        SHA1:B970229FFA04428F6D60D1C9381ABF320D424D0A
                                                                                                                                                                                                                                        SHA-256:472BF1CC97392CC7F346C9F4324DD826C279C99CAB990119CC80DA3FBDDC2129
                                                                                                                                                                                                                                        SHA-512:33DE603317DF5ACB9CD1E7649B0834E8836DC208366E75133564280C18A17404A9F55FC8682319ACD94CA4C175F95D6F8F6C3F2330259B563526B594A4AEC17B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.812805534610478
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Jna8WK1WLfNyb8E9VF6IYijSJIVxY439G:Jna0ojEpYi60i
                                                                                                                                                                                                                                        MD5:D28FF1505221F33F58296E951C1789EB
                                                                                                                                                                                                                                        SHA1:E0FA2F18A762E06F7D64B4A9C512E37D9AEAB600
                                                                                                                                                                                                                                        SHA-256:53E0F85233A90E560E0B9C4DAEF8945A838505DF2CC3BB1A7EA36765BB698620
                                                                                                                                                                                                                                        SHA-512:5C40A5872BBEE334A140E8046BF089E21098DC06176EE594D023F8440AFE3CDA1778DA8BF4725D7C9F95BAAD52F8E2E74C3F74D07DFF58EBA238844FC96F8623
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.765085373011992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5BSWITWWSNyb8E9VF6IYijSJIVx3mR6ZX:56LyEpYi60WR2
                                                                                                                                                                                                                                        MD5:15C00D2B3289442A382E8E358EE92040
                                                                                                                                                                                                                                        SHA1:A218EB0F26AE8D22CF2DC42AB1DBBA7050E10703
                                                                                                                                                                                                                                        SHA-256:0CE8E3ED177E94382208B61D28BE3EB32269A3F208A1AD614A0AA37B9A8B5A63
                                                                                                                                                                                                                                        SHA-512:81E41383E3C2E250FAD471B1E4733BDF3378804C88BC0AFC239EF9D3FD129A76982BCE40B52DCD96371DCFE78E9CD5A6751BB00E70EDCBC4EDC0A7879FFA167A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................;.....@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.872654686394797
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:G88cIIWNoWJiNyb8E9VF6IYijSJIVxJMuG0:G9cU7iEpYi60G0
                                                                                                                                                                                                                                        MD5:989839E4FF834AFA88C8A89D5C5B0A55
                                                                                                                                                                                                                                        SHA1:4DE5124ABAD5C0230A7D6E88822A4E28A90BA309
                                                                                                                                                                                                                                        SHA-256:1179CB6F638E6DAA670B75A82ACCEE65788969C6355C03D9DF708406269E7584
                                                                                                                                                                                                                                        SHA-512:A14463B212D223E7D987A3BDABDCB09DEF7AFCCD184F8D034B93DB52D913EB89541927CBDFB3BC0C558A731FC09C3DDE78B9991BEAEED468F8F6A52138FFE98F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ...............................z....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22568
                                                                                                                                                                                                                                        Entropy (8bit):6.620984449083178
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hkUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXpaY1:QrmoFmWXX/NEpYi60bwY1
                                                                                                                                                                                                                                        MD5:2F2FFAB3A3B163FF7704A5766DA30D8F
                                                                                                                                                                                                                                        SHA1:A9A9779721AE2EAE2E26464518FCF618B2F52D30
                                                                                                                                                                                                                                        SHA-256:63BBF869A66DB2BA9507B435B2964CCD91BA713AF3C64E757C0C4E40A8B5606A
                                                                                                                                                                                                                                        SHA-512:D1CB33B4E9DCDFEFE6D10DF235E1D3082E58E9EF0A4E4EF337775636C050D14E97CA4F238E7D33D7FDD786057801679D0B03BB8E728CE97BE2725E80965334A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ...............................O....@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.674513594159353
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:509bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVss:wOAghbsDCyVnVc3p/i2fBVlAO/BRU+pm
                                                                                                                                                                                                                                        MD5:A6DD4492122C3B05E26841BF763D8CA8
                                                                                                                                                                                                                                        SHA1:4EE03E0DB9DE2179888F3ACF713E74DCF3501E29
                                                                                                                                                                                                                                        SHA-256:7AF874CFCD34E341458ACF7F7B2BE5A6EFD51CA4CF63136F64E608F04C1FD96B
                                                                                                                                                                                                                                        SHA-512:E139B82D73F09759E5B26088FBC22E58BAF5A70ABD63444CBFF152EB3F4A5720F108B84047F55D4756E822D4A2CC94B01D75540785AE7A108697FD0BE7F4D483
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................)<....@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.833205974292201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cmYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRF0IMT:c7W6RWmaNyb8E9VF6IYijSJIVxZ799T
                                                                                                                                                                                                                                        MD5:119FB494DE18C7851BE378596E0DB77C
                                                                                                                                                                                                                                        SHA1:0661625ACE5556827D8655DE364CC0B9249775C5
                                                                                                                                                                                                                                        SHA-256:71D4DD649DEED3D934F17215D1CD0D53D906E6500946C4A1C73E7A7F4F588EA7
                                                                                                                                                                                                                                        SHA-512:63DD9F9733D80D8F560CBE7CA577CCBB81EF14A33E54A39C61AC152F2BF22434D3D105C377E50A7002A58D9E00829F275452D56129401AC4B14C10E675CEBC75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................}.....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.92349173979631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eI5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKdCd8d:eI5HFwTBI8EpYi60lA8d
                                                                                                                                                                                                                                        MD5:E6B5F6440BC7D3CAE67E367AE3B3C0C6
                                                                                                                                                                                                                                        SHA1:E7AC1D39F72E44D31927F10717FD29D6DC442984
                                                                                                                                                                                                                                        SHA-256:FFC1B5DEEBA31D33130A2FFF846BB6A9C7B3C5D977CD30E04964F1D42DF77D10
                                                                                                                                                                                                                                        SHA-512:94B66BC2797DCF48E3DCA504B0AE76A11438826BFADCFFF20938FA52820DD1E97B767DB1C3D200E0B4CF57EC1FF776462B9F88A4AC8BF4377BD3FF0150A1799D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.892290398632148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:uAJpVWbfkBnWRXNyb8E9VF6IYijSJIVxnBF5:uAJpWfkBAbEpYi60X5
                                                                                                                                                                                                                                        MD5:A1F1422C8B103D8B855DAE40D5E61142
                                                                                                                                                                                                                                        SHA1:349CDF5DB44F08A9C472F8B0923F4CA6019CA236
                                                                                                                                                                                                                                        SHA-256:0E49AF27963895F413C566C0D715F0B20B3D468FB4D914A1BE45D800720CDF34
                                                                                                                                                                                                                                        SHA-512:A2A36487BEA55EAE3D9A5E384E7DDD86AB5194BB0BA42F50C48B81C432795911B5DA7942EA5667AA313AD8D39C7F5219C8C78ED054AE8613F26B7DEFDE4DF1A4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...............................F....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21032
                                                                                                                                                                                                                                        Entropy (8bit):6.539763813232213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRN3B:I1dyAqgQBfqyTBZZEpYi60t
                                                                                                                                                                                                                                        MD5:185DDF848D7943C866469B6C85BE168C
                                                                                                                                                                                                                                        SHA1:E14D1F4F7941BA3E575566CD8580E597D2A16376
                                                                                                                                                                                                                                        SHA-256:62D54C9CB394CA33A2E2AA4BFC5862AEB7C4F82208C307120D531C03CCF46903
                                                                                                                                                                                                                                        SHA-512:6A669F22D30C917091A70F3A93131BC3189EF0A3110489C139A750A9250C84D61938D14646F1A061CBF1E732F86480252C6F565D82D45B2DF8D63AABF1E8F7A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................k.....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18984
                                                                                                                                                                                                                                        Entropy (8bit):6.680630337143418
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:apsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8orQv:AsPMQMI8COYyi4oBNw4tBrcEpYi60ov
                                                                                                                                                                                                                                        MD5:0179437AE44AC887A538F44BBBA85A1B
                                                                                                                                                                                                                                        SHA1:D6158F26235B0034E834832122D7A9709CE6D386
                                                                                                                                                                                                                                        SHA-256:129B421FFD25CCAB64E61CE490FCC4072DBE43BBC3743139E04B73B54A91BDB4
                                                                                                                                                                                                                                        SHA-512:5C6D797C7C8E58AE73A4533D24D2A94714FC7FB1C318A5C1C9DE286D1582E9302440E1B193F6E04C3AD1AB606760A49E51534828CA19D8C4718A6555AE17B4A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................;W....@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23592
                                                                                                                                                                                                                                        Entropy (8bit):6.3177610625281115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTR1g2r:IbhzkKs9TEpYi60h
                                                                                                                                                                                                                                        MD5:E6639AE075EDD94FA2BC128A56EBB468
                                                                                                                                                                                                                                        SHA1:021D0245A9D83F662DC3C176BD9281FC7C78CF25
                                                                                                                                                                                                                                        SHA-256:C942ADFA7FA4F9C1B4F167EB28B153DF6A21B638915A04E1BA62E61B1F356AFA
                                                                                                                                                                                                                                        SHA-512:9EB9236557EA8E495DFC87C4DD5E511448F3916994C5943ED684EAC2C74FDB379078776DED8FD0E5FAD89442F8ECE712DC6DE7BA2AF9E1DF6D011319225FA3DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ...............................O....@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.864608994529631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2UcX6W9aWTmNyb8E9VF6IYijSJIVx7y5zT:2UchXuEpYi60k
                                                                                                                                                                                                                                        MD5:FA52AE24F562E0519560C9EDE6F659A0
                                                                                                                                                                                                                                        SHA1:9DB85E79679EEE39276D1DD714127894DF4335EB
                                                                                                                                                                                                                                        SHA-256:66C1AB079D2735A8FD178EF2D36F0627E8A33AF362EB0054D7111F25BF4E7D49
                                                                                                                                                                                                                                        SHA-512:ED4FBFCAA82BF7A9B887B5727179DED5D521E25DEBAB5C8D0BE2D484775D4B2FC6262ABA102DE9A7A4D1590ECFB6AF4E0E3D15776EE66C3EE8AEFACB7A334E33
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41000
                                                                                                                                                                                                                                        Entropy (8bit):5.952017062241917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:CoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60vu:xPmb9WKs0PeeUJ76Yu
                                                                                                                                                                                                                                        MD5:76CC6A639A50E0F1E1C8B2638125A2C6
                                                                                                                                                                                                                                        SHA1:294DA051988C4F0E6C94BA71C67062E11602F411
                                                                                                                                                                                                                                        SHA-256:381CE849AAA4ABD28C4BFAD14349E602BAE571898FED928153607D0068ADC5F5
                                                                                                                                                                                                                                        SHA-512:8CB21F14E59BC2928F77152564ACA3599C0FB64909075559B44E6EF2DDC83EF1BFF68FC4B35218EC4BF79DBB5F0DC4401F24EC281E280C5BFA21DACCC216DEFF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................7.....@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8957951336831576
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8TI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypH1aw:8E3bnEpYi60pph
                                                                                                                                                                                                                                        MD5:152D8A8529BB53E40562AA32BD1455EB
                                                                                                                                                                                                                                        SHA1:5915551044C314BD2BD66C23FBA86BB44227D0CD
                                                                                                                                                                                                                                        SHA-256:30C7A9ED18CFEDB8F27BB46CC4CD4B586A58BCF0AB4AC0A6D103856508ED8207
                                                                                                                                                                                                                                        SHA-512:F5A0D14D2C9B059FF56C0DE679ECECD9C3A1AF1E39057A58E590B142372344C5BD4AE594D2D76E9080FDC5814601C926665CA5B344578CB1EBBFDA8D30E396E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910295083255079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lcezoy4W04WGINyb8E9VF6IYijSJIVxmZqa:lBzoy+kgEpYi60u
                                                                                                                                                                                                                                        MD5:788EEDD2BCADB4BA00C308E7D4A6D112
                                                                                                                                                                                                                                        SHA1:03E7742F956979399110C3033461D3E72904B29D
                                                                                                                                                                                                                                        SHA-256:FB80AA162FB7F3366D60FB2DC51B56A17155182B90809995E77ACA2AFE2D15F7
                                                                                                                                                                                                                                        SHA-512:25E8E352C381FE5B329CE27C02A69663C980AADFDD6C8FD5251AB5912AE63DB90D34ADD98E172A39E1E8BAC365717079F8505FDF93BCA05371682B8FB1E4D871
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ..............................m.....@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.79546328311258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cUgHWexY+WKpW5FPYNyby2sE9jBF6IYiYF85S35IVnxGUHFjekhqHbA:MH/JWKpWDQNyb8E9VF6IYijSJIVxXeHU
                                                                                                                                                                                                                                        MD5:A25577998978B87CC8D443110AB27B5E
                                                                                                                                                                                                                                        SHA1:55A2FC5DE2790AE7B7414D9193D4B10A64244658
                                                                                                                                                                                                                                        SHA-256:762B44EBE2E5FB61CF29F387D7BEE17A1550802EBA7AD153AD142FBC2EDE89D7
                                                                                                                                                                                                                                        SHA-512:77D4ED6105A65585E793CC6E4541A874DC1B269EFED8A4851AA8CD6025337C88FB726549CDB3067DAA5A0C920DBC616B7CF0E083EF184B52361C4A8D567EC2EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................?....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.7447495341904595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qTjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLyoWK:6boYyFiEpYi60tFn
                                                                                                                                                                                                                                        MD5:54468FADBEC6DBA182D2C39AE9CB497B
                                                                                                                                                                                                                                        SHA1:521A56DCBE7D3178BF62616A9EFE3D6626059F70
                                                                                                                                                                                                                                        SHA-256:59567BC0FD8A4872FAC5A214CD853F019149A89097EDDC41FCD70AF2CC6993B8
                                                                                                                                                                                                                                        SHA-512:90FAAC13B9102021EC79A9AB4F20C423E1B4D2262572CC3707F5EE55C394A65205C808FCFB52AF4D86677BB5E93B198E4DBC12CB22AD4EC3DF5FB275ACAB57C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................y.....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.844665709244569
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4SKiWIhWG3Nyb8E9VF6IYijSJIVxLp8V9:4SK8l7EpYi609I
                                                                                                                                                                                                                                        MD5:E34063501621BD77546941CDB2B5C1F2
                                                                                                                                                                                                                                        SHA1:B7AA35806E1C69556AECFC351AA7A3D6C1585402
                                                                                                                                                                                                                                        SHA-256:4DE4CF5C699EF43CC37E53A66E86B771DE7BC7029179173EDC28EA58BD11B8B8
                                                                                                                                                                                                                                        SHA-512:DF03F08E92D2E0FD5B6CBAA62050A918EA01BA2011DBDDE1D5B7DEC0EED04CB95570A4BBE0C1D45E8CF4AEBC38D287010FF76BD63B7C1209A51D8FD7E3307497
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................]V....@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.785674552898244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8lkBU5:sKRyhfEpYi603L5
                                                                                                                                                                                                                                        MD5:318C94B42D32AF384E8A32B518002E7F
                                                                                                                                                                                                                                        SHA1:084BFDD4A02F365B305241ED4C0A458940BADB70
                                                                                                                                                                                                                                        SHA-256:C5D36F0A84164B0ED3B7F6B2906F6A58D610A3AD6EDF3ABC288338A8625931B5
                                                                                                                                                                                                                                        SHA-512:C03AA9CD8171822971CCADFE1AAE2D07B3FD9749C3D147A66276C783BC708148D51B2DB6ED644DCE8490D144B339D6587B72A540D1702D3FF754EAAA08B735A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ....................................@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874692610973363
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qb1nWCXWr7Nyb8E9VF6IYijSJIVxnY3An:U7yXEpYi60j
                                                                                                                                                                                                                                        MD5:A972AE027F809D65147B5E5CCE0CC799
                                                                                                                                                                                                                                        SHA1:BD46B74E9CEF9A424F6915505CBD2B1011131ACA
                                                                                                                                                                                                                                        SHA-256:C57017889813A1732C512CC5988EFD08746CB02471C8B19C3DF3A163D7AF909B
                                                                                                                                                                                                                                        SHA-512:F46960DEF427278CFEABA9B32F58BEA4ACA024BBF0D6641A24FE3FA84CBC8FA7DDB8D5B1776B18EAA5EFCDEC5CEB6551F3200BD8B202C7302A938E95B07F780F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................2.....@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777125012846138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HLyW7TWyDNyb8E9VF6IYijSJIVxRr9nw4:rfPfEpYi60D
                                                                                                                                                                                                                                        MD5:DAA6187A2ED4605964108B9ECED1CDEA
                                                                                                                                                                                                                                        SHA1:52D53C523EE8331D6AED99475290F979513A54FA
                                                                                                                                                                                                                                        SHA-256:1349E02D55471E06C4936425055BD61880773A861AFDD2E7421D4755BEA62841
                                                                                                                                                                                                                                        SHA-512:07F284D4A7941673D5F5D8436D2125EAA4DF6CD8605B26F32F6E90F4C35CCD07A2100E640E4A7414741F8DED3396C31F1FDDC75759A6AB3708EE59DDF1769530
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.906192008068945
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:a6Rb32WVzWwtNyb8E9VF6IYijSJIVx00yf8yVo:1Rb3dtJEpYi60Sf8n
                                                                                                                                                                                                                                        MD5:1DD9B77627E1DCD7B80AEB2EE27A606B
                                                                                                                                                                                                                                        SHA1:395F4961394959DA52FAE061368C44A8BCF9A312
                                                                                                                                                                                                                                        SHA-256:AB1CFF60B51761E37309A63B1F57AC9B8A588F8427867523488642A8C97320A9
                                                                                                                                                                                                                                        SHA-512:0BC71EA7FB83C155D4F17E6538A7042AD804E362EBBDDE89934F5264B7A56FD2C2191603D6A1130F70D607489F5C3C3F16FCE3D5689C020902F35CEA703F8E8C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31784
                                                                                                                                                                                                                                        Entropy (8bit):6.537237080993636
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bu5I+sqOylryry8qqIfUc7a5eMEpYi60mn:BYIVBpry8qqIfUcm5eF76Nn
                                                                                                                                                                                                                                        MD5:78E831E0FDCBBD349EB80E7A717FF355
                                                                                                                                                                                                                                        SHA1:32F3B7DF1D94BC98D62DA15944F477863AD6BF0F
                                                                                                                                                                                                                                        SHA-256:338B234FCDBAE4D7E19DC237DA559AFDE50D21A81192C0AFACDF2AD055BFF8FF
                                                                                                                                                                                                                                        SHA-512:136DD7189F40A4C67629C2D45BF80F611C63BE6AF586AB8975DD627729A935CEF0EC31193585436677C5DF34E28BFFF0691D4682439612431A603B4A0183E0AA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.876786974883989
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ovn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDdL7TD0:BS/I4EpYi60nk
                                                                                                                                                                                                                                        MD5:352884106780AA616929ED1AD0577C31
                                                                                                                                                                                                                                        SHA1:AF6D887BBB0C92D35ED59F3777C0D2583E75062C
                                                                                                                                                                                                                                        SHA-256:4B6A835E273EFC191EB1C0A55DF63409EA281D035FECEF02622F92363BE940C1
                                                                                                                                                                                                                                        SHA-512:CFB65C378EFC302E37A2AD2AFA6B8DC9DCAF7E39EA2994022DDEFEB86F575D05CC29F02B991E3F123B1933DA6CFFEFE86117F03AEAEBEAC015237B68D60CA9D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................7.....@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.77027842758303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:78MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxoQO:gMjKb4vcGdO7LEpYi60+
                                                                                                                                                                                                                                        MD5:BB0B262A1E19497B8617D5C54CA274D7
                                                                                                                                                                                                                                        SHA1:B079BAAACFD3CA4236A567F1095AE6D642885BE9
                                                                                                                                                                                                                                        SHA-256:BB2FD944A31A8D2D3C8D0234F59D8167C4455C0B3C130019C45BAD8CD1F66C74
                                                                                                                                                                                                                                        SHA-512:FD0CD25A69805E12BD44914711BA12416C36A661732973131C8FB394FE15DEAC2F80EE10F3467D03C08B306CC55B9FFA39AEC741580144DE51B111CFBBA0C029
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................ZZ....@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8552515980726705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYheFI/:3ztEEpYi60cQI/
                                                                                                                                                                                                                                        MD5:5888BA6BDDA6697B8F718C2DA08893A0
                                                                                                                                                                                                                                        SHA1:3F1168B27ACA1B65B28AE808C24DC4A0CE410B2B
                                                                                                                                                                                                                                        SHA-256:4091E50AF61775BC11F9E2FB4D6C2C282DD3A2267CFA9109F00A14C8755C5CF4
                                                                                                                                                                                                                                        SHA-512:6B37D628EDC968054AC44585AD7879EC45DE6D68BD62C88DCEF0FE48972CD1121F4311726D3C022C71DDB413563979913A40E652AED467A0050796EC01244F56
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................\.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.862846916378626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zvs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm8MHN:zuM0xEpYi60PGN
                                                                                                                                                                                                                                        MD5:140000726444F6AF5359A562BDB552BB
                                                                                                                                                                                                                                        SHA1:7C8EFA451F889F1B104AABDF9E8E30D59CA9F379
                                                                                                                                                                                                                                        SHA-256:07D6A00E63F24C3AD8E8B5A620E4BCCCF5A64B25C5A53C3140253F776F4E0A4A
                                                                                                                                                                                                                                        SHA-512:841C0185C12BE5D6A49EC2362439FE9605AB53914C096423FAD34E48783010AA62FC71060D904A506792E6F9E83F6084C065C7807F874245DF0D8348840F0B4B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.829096685601233
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9JtOZ/R:mFz1c60EEpYi60LqR
                                                                                                                                                                                                                                        MD5:3B8709DB32BE67BCD75859A4CC55D3AB
                                                                                                                                                                                                                                        SHA1:56EAF23919EB9370032A246A74E9669740E64691
                                                                                                                                                                                                                                        SHA-256:977FD5826719F24285FADC540C0F7B74053E7B9B724D160BF884681DC85077CF
                                                                                                                                                                                                                                        SHA-512:4AEFC904647119CFE002CE787DF5463816ABA97BEA8548F10ACB7DEE8D69CBDDF2FD252C44C491AAAE40404B611D262B14D42B3A6BAB36AC47C2FC67FC7DD8B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................N.....@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.725331273299116
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:r6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJZGV:raB/TEpYi609
                                                                                                                                                                                                                                        MD5:53092591BE1262409A40F8FA5C0C2B09
                                                                                                                                                                                                                                        SHA1:A4E823FC42B13218AB9B1EE75502833ACAE32DB7
                                                                                                                                                                                                                                        SHA-256:F5E828D4DD748A67D2B1E18E69BA3EC9D26070C5ACB1B57D9A70D535AD038735
                                                                                                                                                                                                                                        SHA-512:34BA74A4991FCBB2A711921012DE590B50CD347A79E0ADAB4C6B4A63C72FDBAD783BA582D70A0B4C2C7044AF04BF658657BB744865D8BB32E6454E805703786B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................l.....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73256
                                                                                                                                                                                                                                        Entropy (8bit):5.9528236640882195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:X784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nRf:X7N1r9KGI04CCAskwRf
                                                                                                                                                                                                                                        MD5:29A6127FCF6139A25AF8693179D46AED
                                                                                                                                                                                                                                        SHA1:6165AAB80873FD7C46F04023D10801C7D736A21A
                                                                                                                                                                                                                                        SHA-256:F7FF2F322A27C3832B25EDDEEAA2DC54CB466D1F53C598C1295D6D9B6283A796
                                                                                                                                                                                                                                        SHA-512:A4201388AFD38FDD392D64422EDAB439884A163B663A83053B2F46C7330682742B9650EC5337A43547BD681EEE6E4CF5BD89D6E3A3F889DC0A24F5B2B3694D9D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......$....@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.854768377208066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3r97WquW6/Nyb8E9VF6IYijSJIVxkp9VUc6K:3RJKDEpYi60elB
                                                                                                                                                                                                                                        MD5:60882D71149BBE641AE5BA05E8B60BEC
                                                                                                                                                                                                                                        SHA1:08A84CD2C479BA1877D74E628DE4545B33C61CB0
                                                                                                                                                                                                                                        SHA-256:BC2E11F2DB69BE3F3556AA6A59E5E31A9E970E464DE51626BDE6A5DED469A0EF
                                                                                                                                                                                                                                        SHA-512:6035F1AA55C8B2B286D12E457B7324D4C90B0BC3F863C86B5B7476A50324552A2D2099D6EAFC54D346C17CC9B04B6DB52634F7A3FC185B2FF4F5074E99915FB1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ...............................h....@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.792441439661817
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:316eWLDWGoNyb8E9VF6IYijSJIVx4OtciP:l6LbAEpYi60r5P
                                                                                                                                                                                                                                        MD5:2F9706BC54DC610C8047C5187F26FBD6
                                                                                                                                                                                                                                        SHA1:2CFF1A2D481B8F191BA651ECF4D1583FF707C428
                                                                                                                                                                                                                                        SHA-256:CADF8DBBDDEDE96C06C47817B98A834119D4C831295B0FFF48708F1B70DBBCDD
                                                                                                                                                                                                                                        SHA-512:E95A6A7020D43BF41498C565C47DED8D057C7106DE50506D51E9F6A09F6AF2F5D306B71D778AC7F52CAA01CFD2A9F1A1467A8A061A36CB8A01E23E266B1FC73E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................l....@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.786390980413795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:O8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxPFD:BGZ5OwEpYi60V
                                                                                                                                                                                                                                        MD5:3C9610222E9B847F102AB330F085ECBC
                                                                                                                                                                                                                                        SHA1:9DA03826DEF2D8F7F8EE1A4FA16A4D8A0CC1493D
                                                                                                                                                                                                                                        SHA-256:A081FCE69771198389D32AAC400D6567654815595F836395EBEE17377661470D
                                                                                                                                                                                                                                        SHA-512:2C1D103B3E6D5DBEF62CF2C8156B8B45136CE572FEDAFE03A3178C02EAFEC524D275766E2C1823CAE95BFDD08D8CCC76954450CE58F13D444E7A35B686C1120C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ...............................w....@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.898555778840737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPgdo8sq:MYT1cREpYi600T8T
                                                                                                                                                                                                                                        MD5:B6D36F988DE6DD6209F22AF582B4E939
                                                                                                                                                                                                                                        SHA1:CB28B1A9813DE047E691679820630E27FF0C939D
                                                                                                                                                                                                                                        SHA-256:5685B6F7A4B5D64DE5A9E9F05D56BA5B577882E87125A64B9246DC8F5D0011BF
                                                                                                                                                                                                                                        SHA-512:C867B99984CBCCB31F3D9BAEA8D2079C202FC7E54E224A44895CC4E00D80DBC433EF1B0A1CAFB7E00B3B926E601EB051C11588C05C40AF6AA396F000EA6EBE4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................S....@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.808946442672549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9Uv7c7iWNCWq0Nyb8E9VF6IYijSJIVxILAkdT:9M7c1m0EpYi600zl
                                                                                                                                                                                                                                        MD5:1F659D5017DAFFA15E3672898335F7C1
                                                                                                                                                                                                                                        SHA1:36359E0EA40902900A2540126FB35BF8D4A9F963
                                                                                                                                                                                                                                        SHA-256:DC731D628134FB040EE094E75A0CD8F2D5FE8C211A7A468635DE20A7297C7FC5
                                                                                                                                                                                                                                        SHA-512:B5FF6AD7DD57CBD20F51D0D159971E09A1A3781E3CA477355252BBFB695D5118C7423E719426BF68AB4C06E97C8E1AF5BF9A992C03535C78E72C6596A4CFD862
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................*.....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.852070312826578
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:T+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8nz6Ub:iSWnRWJ0Nyb8E9VF6IYijSJIVxI3Bb
                                                                                                                                                                                                                                        MD5:8618BC9691BDBD9CED63DDC44F752CA1
                                                                                                                                                                                                                                        SHA1:1C6931790DE77D4D7D2C632DB16A7A4D9AF3C06B
                                                                                                                                                                                                                                        SHA-256:F6241E4B1496804B81B5FF21DE6B73B660858D226BEE8A38BFAA24D4706F1584
                                                                                                                                                                                                                                        SHA-512:C73739A1CE07F56BB9106C5B528FA22ED57C92BCA1442D1D2E12F60D77024EE851229F9E1048B29F3764A5881C002463C9F06F03DCDA3301E5BD6265464F721F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................V.....@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.051708811439406
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:6gueg4VgiQ/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:mMVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:6FB74BD8B572D5BED6FF47B245EB7D11
                                                                                                                                                                                                                                        SHA1:74916ED5C2AE9935BE2300ED2253CFC4042826BA
                                                                                                                                                                                                                                        SHA-256:2E8FEB9E8656516008E716CF2B26D164549143557FCCC82D85C76F95CD1B0F54
                                                                                                                                                                                                                                        SHA-512:7BC511D8D0B8EF35D881F035BCF4C32D8D07B4AD12C276AC218DBBE6A2124F4D9512F49BBA8AE8F56C7AA3DC39601EED0A5D4F559271BFEBC05BE57B43372B75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-19 09:00:54.1361|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-19 09:02:05.0157|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-19 09:03:56.9115|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-19 09:05:27.4637|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92712
                                                                                                                                                                                                                                        Entropy (8bit):5.48308029356687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:I2Ec05j4eAH64rh5fSt5T9nFcI94WYG76v:vlK4eA7mDmWYG4
                                                                                                                                                                                                                                        MD5:FAB1E6796418DA835C861AF332271C10
                                                                                                                                                                                                                                        SHA1:5FFB9F430BE3A9AE1D32A7BBDF592771E093846B
                                                                                                                                                                                                                                        SHA-256:A99C68919595987F3982E5BD87DA9E1D3ADA2A5CF83902DF5F74F84BA77560B7
                                                                                                                                                                                                                                        SHA-512:911CF5698BF7F806BB8E6EBB3990DC87A19CAC07E85EEC65611616049BDFA36978F142FDD24E97697180F8A4451E356C4B5A7EE4A1439B9AEB62BC2D0F8539D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ....................................@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3025042
                                                                                                                                                                                                                                        Entropy (8bit):7.999916223562118
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:53rRy8gYvdycfbTjOX4BrXwlslM+5k4r6MFEsXQtSVEPRLzLrqNiuEoZpHvdJ:nyVYvscfbTCX4BrgGlM+5sLdLrnutHvL
                                                                                                                                                                                                                                        MD5:A42CA7554DCD9D44E00EECCA9AB94D40
                                                                                                                                                                                                                                        SHA1:BAA6C0DF8624F2D9318F9283B1F74C2EA729CE0D
                                                                                                                                                                                                                                        SHA-256:BC519A967A2B55EC88A1575637416AAD650F18F7B9611FEA592A2DBA8FADB2AF
                                                                                                                                                                                                                                        SHA-512:3939C62C178401778139A3AFEFC707F31A9E31E3565D308057387399944AEBB5E9A522BA96875DEED95EF4B62EC48CFE076E470301F02025090707B5F5F1D12D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....,X.YVb.*........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(.......vo.......=G.(..1.'q.z...#+/6..J..nz...../.?Jr....5..}...`.E..6U.f..l.hx.<.(.=.9...x.^.U'He.....a.M.wA?..H...M<..g:.,4.UP...F7..^%..f.AkB.....\.$..S.....Ok%c....I.~..[..*.....|G}:hO.A.X.l.8.b.H...k.y.`......F.\Hl....+<.{fi....*C*....u....VHZ...}d..nX.+n....e.X.# %.R.,....D3...]H...W..T.s.k.=.................I.d%....m.Q0.[..w..faU@........?.C..M'.T...Z..W...aU.p5........@a.w..O...NG.7S.5.....K.$.9....%+.l&..q.....O..P.l.$0....*.sb;....0.+.....-......vb....."...E.7.=!$..@......0.E..a.H7....y.W..I<l....X.).....3n.B..(.f.@$R3.Q"..o...:...j.A7.i..$.;.J..!.F.Z^sr*.j.Z.b..../...I.=<p2)...M......E.......G9."CMg>P.f.<....M6.U.N......At......|.g.'8.g!.?.#..5."..&EH.q....k..{.vl.c.C\Gp.."....M....uIPQd.?.)..;.%..a...#t.D..Yh...1;..g.....6.0...mt1>Z..W..oB...-.........g....;.=p&+...-..U..m.Z.9%..rrU-J..AN."........Ju..(....E..8..Y...,.Z-y'....fU,T....FH(.4..b.}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57896
                                                                                                                                                                                                                                        Entropy (8bit):6.1734473732187025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:FJZ9Gx/x4S7IRyh+ngOBF3l+ywIsybx9uYL6uKJBtYcFm7B6K+2EpYi60FCI:FJXA3ogM1+KTbxOuSxm7Bl+376kCI
                                                                                                                                                                                                                                        MD5:B510053DF9FE982D47B6EA5664D297E0
                                                                                                                                                                                                                                        SHA1:A1DB720FCE84CFE680048AF1C96F46AD50979F09
                                                                                                                                                                                                                                        SHA-256:7AF2687BA4AEE16773F19FD2841A3D14649A4A2D95A436AA71D9486A0F4F813A
                                                                                                                                                                                                                                        SHA-512:194D410EC774146CC6872816F363001B059D280CC516EF9E2DAD5E67C535470DF3485F18F5CBCF474C695833C355B46242DE4C76907FBB498C4BB8537F10B7E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg.........."...0.................. ........@.. ....................... ............`.....................................O.......................((........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......HR..Dn...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1251
                                                                                                                                                                                                                                        Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                        SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                        SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                        SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLT:WBTn
                                                                                                                                                                                                                                        MD5:16471EE4E999BCE1606E0719ACBFA90A
                                                                                                                                                                                                                                        SHA1:584D0F835EFC5B9E1FC5B2F1BF33017D179A4800
                                                                                                                                                                                                                                        SHA-256:A46B27D2DC0022BB13FCFEE8652335A7DA452A0FDE7C3AC5869386CDFC51EC0D
                                                                                                                                                                                                                                        SHA-512:CD66259CA440A5690782C006B7227F6B971732C002F66B0E7735F8B2ACA74DC6B5CA651C52F16B873B3006EB7AB1656097A0D0A6C3ACFB88141B1AEF0A881422
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.1780368656490525
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Xgs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tU7:X0jjnl1wuDYjQbQgLbZs8DWdKd
                                                                                                                                                                                                                                        MD5:F6DB8D8DCB7372721753731F707C0F27
                                                                                                                                                                                                                                        SHA1:EE11FCCFE73C9F240B0B8F59514430FD97725831
                                                                                                                                                                                                                                        SHA-256:269844F3ADE7D60ED6F430381A674B6D11F44DB92DE42A7E0693CC8AAB69EC77
                                                                                                                                                                                                                                        SHA-512:38650D5E8408C3E5D81B2005D210E0DC8E355E3E3A3EE3B866AFD52D2F20F20DBDCC7B0E20BD8A792382E18665F68339647ABAF23B07A126C631B9DE3F80B7A9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ....................................`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.309969565003418
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:BINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgKSI:mNsii6v/HS0+OJd5gpKm76tgKSI
                                                                                                                                                                                                                                        MD5:5E7154FD3F7DD66A4B7B0AB221E4AACD
                                                                                                                                                                                                                                        SHA1:75E5E69F79FF4AC077C57153878C4D2555212D5D
                                                                                                                                                                                                                                        SHA-256:F4207A0F6042A4AA81D41E556172F72B77880D79A871E6488F7F4B7FB82ABF92
                                                                                                                                                                                                                                        SHA-512:CE857254A45958D68AAA0BE5C70F5B124DDF7ADD1221A9F8D2CE7181BB6E674FB5DF97EC2B986A399458809CBB7181BB680E11CE1045D086E59D86AB2BCA790E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ...............................j....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13415465462374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:TjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvB:T+e55LgIkTmyAAfTnMLvB
                                                                                                                                                                                                                                        MD5:0DD4DA624B578E22BC52EC1A63268D53
                                                                                                                                                                                                                                        SHA1:3F3F0AA9C82C003D9109D96BF8C2282E31090BF3
                                                                                                                                                                                                                                        SHA-256:4EFBBFA38A255206D4225F59BB4256E76456D7E8F459052F94B0DE31E9B1CAD6
                                                                                                                                                                                                                                        SHA-512:52C934F0F9D12B5917758B7020350020C9709E935290B3DA616905A7B8D2067BBC082819850F4369D3444D39EC8B8ABBD4B90A42C684F7662EFA6C5058689A6A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`...........`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960586754000778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:EBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU+:EBjk38WuBcAbwoA/BkjSHXP36RMGr
                                                                                                                                                                                                                                        MD5:22F8D55A5028466C0C540A7AB6B01CBB
                                                                                                                                                                                                                                        SHA1:5ADF286C40A561CE41F34FF14691B629499608B7
                                                                                                                                                                                                                                        SHA-256:D04259D7AD4B8BAF0B4785B62AC5D57C4AE29FB53A75D3086A1F0F36DC54EBEB
                                                                                                                                                                                                                                        SHA-512:CDA480733453B4AFE04FFA9606035C5FBC4E15B76F140B7777D9AB281547652224BFE6567D91C4935BCEE823CBF610142611B8A3AB6CEE5C9CB3EB1A8F3BCEA0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.677602378097781
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Jy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqggr:JuhMaVmzDC6k0EpYi60pr
                                                                                                                                                                                                                                        MD5:361A9F426991C28649975A578725070B
                                                                                                                                                                                                                                        SHA1:E2149D28C23AE4FA44DD603EE20CD3F105E06E92
                                                                                                                                                                                                                                        SHA-256:D63BA6A32B521DC8037387744DFF142E6A9D0DD3BA7C8051C582D0BEED66AF81
                                                                                                                                                                                                                                        SHA-512:2332D1682290203586F9B4AB77489DDC2E06F211E1CBB404DD967C11076E35B3A857498F509163AC2BBDB0EC12DFE5CC39C01751275E58FB2DE799394BD6D369
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266903472034974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zc7R:fKC9niwOepJ6TJPeb6NIUFg76Kzc7R
                                                                                                                                                                                                                                        MD5:5AA58117C951A8B3D2E8756890E6B399
                                                                                                                                                                                                                                        SHA1:D9ADD5A738FFE868B6CE81D5D51B4FE804488E47
                                                                                                                                                                                                                                        SHA-256:004211F0D37D46DDF0BD39EF4C876F829DB375217FE49D1481486B2A0D989F81
                                                                                                                                                                                                                                        SHA-512:C5FC699FA15B9002FE20BAA3ADD93F197D7FEECAC1C8FC6C04CC98F3A04067A469D480C4913B98FCCFBCB3B7DB9F88E645C040CE41E4B846563D0E3B11E535F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......5.....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.179083456656891
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHs:7h0qjC5RMOHO420kN1b
                                                                                                                                                                                                                                        MD5:99291D660DDCD7189F06A624B5890FA8
                                                                                                                                                                                                                                        SHA1:C479F9B892B63620D8E3076CACCF981BA07DEE5B
                                                                                                                                                                                                                                        SHA-256:143169AE643EF7C57A686AE438ED3A60A96F40183A405C957210071E03EBD130
                                                                                                                                                                                                                                        SHA-512:D14FAEAD5965D7FEF7CD6E4C60555C8ACB4444957A1AD1A6A8E31A79DA136777F78371254CBFE6BD61159C0BAE1F3637635263CD3C1FE127F9444262C4A13659
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......o....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.632355386892864
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08dtdf:cCn6xYEpYi60k8df
                                                                                                                                                                                                                                        MD5:1F46091292B625078854475032DF0C80
                                                                                                                                                                                                                                        SHA1:C349144704D281E461E677BF2DBBD18A775437FE
                                                                                                                                                                                                                                        SHA-256:D456D089C2A95EC0B80D47C6BD6402A41F3CF0BEA779C0E83ADBC60E87D9C273
                                                                                                                                                                                                                                        SHA-512:8BBD0692E89F6689ACE14C8501A22D6D794B50B86D640A137A5F3DFF0369EFFBBB8382C61C6375535C8A38C9593F4F0C42D637EA6210242D2429C8C93C8838E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ..............................A.....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.191168053094701
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ObYKKxlexFymgpcajqin3BecjZEsCZMRPIFvdCSILjREpYi60USU:imsW3IcFtCMNAvduja76JSU
                                                                                                                                                                                                                                        MD5:F0606F9D6C6B56BF489BED9F59E878D8
                                                                                                                                                                                                                                        SHA1:F4F810D397A2780944457D47C6A148F264CE29A8
                                                                                                                                                                                                                                        SHA-256:C81AA5F743B8FBCE0F26FFE5C748869930B99CFD6A2244A848C232B5E318F58D
                                                                                                                                                                                                                                        SHA-512:088DDCF85D4F0E638927429F29F066F72F8767997ED03A873ABBDFB062CA470B7767522475BE446F064BE962E2887EBE73FCDDCCAE370B7019B5A5E611019C14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........." ..0.................. ........... ..............................Z4....`.................................9...O.......................((..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................m.......H........M..|k............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1140
                                                                                                                                                                                                                                        Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                        SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                        SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                        SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6655016
                                                                                                                                                                                                                                        Entropy (8bit):6.267127748986723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:NCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIj+:1lV1qKpkfqbjeGVr4NHYJ60i+
                                                                                                                                                                                                                                        MD5:1E1E15B9417CFA73FEE79FA3E9E74F9A
                                                                                                                                                                                                                                        SHA1:B7D796DE149EA3333D3B1FF9CF4E6525661688B5
                                                                                                                                                                                                                                        SHA-256:59E8B9D1A75CC139664CA3C407BFB3A5DF33CC1D8DC5F10172AD807EEB494639
                                                                                                                                                                                                                                        SHA-512:5E394BA0FDF671AB71BE469948EAB480763269B4ABDBEA1669B0B153E5E56AF7809E1135B12FA80CE044AEB8EFD3E83F7E92A7199258FBFDB6C3CD6D1E663183
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.......e...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280616
                                                                                                                                                                                                                                        Entropy (8bit):5.690983314558455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:RG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCY:RJrycoB3HVeESME3pnaVTS1nh7hCax
                                                                                                                                                                                                                                        MD5:25132013038069C6D20F303F33557656
                                                                                                                                                                                                                                        SHA1:752FFCFF9686A1C48C9E432547FA91CAD10B7BEB
                                                                                                                                                                                                                                        SHA-256:80C6030215DCF6E759E9228FC957659CBE48A54F7BA9DC0C02AF834F4E1256F1
                                                                                                                                                                                                                                        SHA-512:DBE88A367AA153BDF3CFB5AC9028A478E0E2CE460D467AF4F0C10DFA6A7271434984CDDFC86D53D4F868466E050C9AD20FBA5C51A2C67A4FF452C2034BC0C39A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......g....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342316
                                                                                                                                                                                                                                        Entropy (8bit):7.999331258360695
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:Ir6VUI82xfkgpWrvL/JVW2L3ukK29GSya5GZ7F2vtVygTNBr6VEZGqTkxU4sAQgY:Ir6+jAfk/rD/J3Lun8EaekVcgTzr6GZR
                                                                                                                                                                                                                                        MD5:09447F135F7F4486C165061CF443C569
                                                                                                                                                                                                                                        SHA1:3AD4264DB3112F845D35C112AABEA9CBB2E21AFA
                                                                                                                                                                                                                                        SHA-256:0142E2CA4F93C9631591065DC53944A86E4B961620F4FAF1FE8B61A8B2867C9B
                                                                                                                                                                                                                                        SHA-512:BE678FB5CA389198A5CC474C8E9E9D0C79A92A582CB81325B13D8BE226725AD04FAA6ECC3B4B7CECAEDAA6F15EC13F01C0276100EE19FAAF0A1B1DD7D061F31B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....#D.Y.V.:........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....(........m......~.;8w.8...N.....]..z..1.o.?.............b...T..*.....W......v....,.3.<~.@.U...F]....oCo..a..dR......Q.+.Q+.#B..7.\.@.>o.;..J7wd........H...m.G/.^Y..2..u.._.b.0.%T.U....,^........W.....MS.+...;..N..63d..m.0w._`V.J.t..g.x....?f=...81}j.SS.....*.z..M. ......=Y].yD.<..S..,.{..x&@g.&.}...A...y..<z`.Z.a.>H.......wo.k..]9.9..-.YvL..FhQ..P]..1.+~d.....'9...4O?.$h.....2.`..G....2T<..(.t..q.W#..]C.6/a...o....Q......c...X.....]q..U.%.....8...~..k....~.b...c3ob(G.&.S..8g.x.vO.Cz.yk.p5....i..-=.p...=^...wg.....N...R...TL..... ..uP...Q...... ..5....u..Ydn...RW..w.;).n.v.......WA.Q.........2....,Z....T..P..."....[h......~}..N.k...].6..M..|.......To.......'..Q...&.y.........v...OK8.e^..%>.e..B1:7.#..(..........;...79|.....n..u.,..[....#Q..........{...T...i..H....1.8.....S..|__....^Cu...*....M..T....r..._G,....H....T=..?3.X..{.5..".0(6...\V...p!..1..S...d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72744
                                                                                                                                                                                                                                        Entropy (8bit):5.510938920637226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:r8V3tfciq9s2k7Xvpci+yLYCJoUu7Q6P+O76q:klPna02B86P+ON
                                                                                                                                                                                                                                        MD5:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                        SHA1:C47A5A33F182C8244798819E2DC5A908D51703E8
                                                                                                                                                                                                                                        SHA-256:C936879FBB1AA6D51FE1CDC0E351F933F835C0BF0E30AEF99A4E19A07A920029
                                                                                                                                                                                                                                        SHA-512:232015FE6BEE6637D915648A256474FC3DF79415AC90BABDFC2E3DED06C2F36FCE85573EC7670F2A05126AA5F24A570B36885E386061666D9EAA1F0DA67A093E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.Pg.........."...0.................. ... ....@.. .......................`............`.....................................O.... ..P...............((...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........B...............................................................0..........(....9....(....~<...%-.&~;.....t...s....%.<...(...+~=...%-.&~;.....u...s....%.=...(...+~>...%-.&~;.....v...s....%.>...(...+~?...%-.&~;.....w...s....%.?...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........4...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXRLW:WBRi
                                                                                                                                                                                                                                        MD5:B22628235C1F44AE054091C8FDC82D23
                                                                                                                                                                                                                                        SHA1:70C8E5ABD9D2D8A18B769F6E71819FB53B273B9B
                                                                                                                                                                                                                                        SHA-256:B31673E38897D5D84558E2745D02C553649A50063A9F0E7DE7E71BBA89916232
                                                                                                                                                                                                                                        SHA-512:C1097690938F3EDCBA20802DFB77880FB29D1F8B70C62FA76D1828613D57355FD04C0B3D26DA90128DB2DF2E63E4E30C8E195B84452C0931B8CB2F043D5BBA98
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=24.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.179705686579105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:FJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762s:FQUm2H5KTfOLgxFJjE50vksVUfPvO1m
                                                                                                                                                                                                                                        MD5:C548EA0CD65F5981C2DF82A0177A9D3A
                                                                                                                                                                                                                                        SHA1:5D082BC6BC2D1F2267AE8525F3A528A0B58C3161
                                                                                                                                                                                                                                        SHA-256:BEAFAA0CF51CE914B58482094044A6CC742C3269431A812D5683CA3034ACCD84
                                                                                                                                                                                                                                        SHA-512:530AE2069185897612E0129135065954379F75F6C9F9DAEE3F7D9DFE49C7CEAFC8807DC866591F39337410FAFA76733705C316912F3A12AE85565ECB775476F4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................;.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960555604702895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:UBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU4:UBjk38WuBcAbwoA/BkjSHXP36RMGN
                                                                                                                                                                                                                                        MD5:1792F462B4908235FBA6B3B4B2203276
                                                                                                                                                                                                                                        SHA1:E1B0CF8559C330377E2DE7FEE9FCC0FC3D34566A
                                                                                                                                                                                                                                        SHA-256:8CA1C3651A6F118C80E712BCB9C44031EB3D8C7180A60EDA5F2B24A0584082A9
                                                                                                                                                                                                                                        SHA-512:7AB9E256A4359A5560BD8C10014591F350F2788F72693234C16AA0B75F95F9EE3CF5E219B97A33944A5E730202BD355064885FD060812EE150107FFC84C92F65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\attendance-updated-time.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18
                                                                                                                                                                                                                                        Entropy (8bit):3.0441104177484006
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WjGeBn:WjJB
                                                                                                                                                                                                                                        MD5:C145A7DAF152B0B2D199412FB2165B00
                                                                                                                                                                                                                                        SHA1:DC2A5A6029BE3A37F00BCBB7023A0C7B673D8629
                                                                                                                                                                                                                                        SHA-256:84B7A50C12E7E0844F97D2A61F1738C7B8448AD40D425F03CA3E5A2F035CB48D
                                                                                                                                                                                                                                        SHA-512:13A9FB01837D7E2E9292B4FF2093CA8A8236E37B802DB1D4D2EB1A386EAD6A7EA0443312D66126BFC34923B52EF130CA118E91243C9BC7FE0A41DE9AD9D0323D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:638701955847905073

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1560
                                                                                                                                                                                                                                        Entropy (8bit):5.067643264689313
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:rQ0/bqd+sVNPBMiQ0/bqd+sVNPBvQ0/bqd+sVNPBBEK:EUbgd5SUbgd5aUbgd539
                                                                                                                                                                                                                                        MD5:13A8E49399F3C57B59EABA3DD611F28A
                                                                                                                                                                                                                                        SHA1:BEABC7AF6FD2699198C9A82862AB16D80939F88D
                                                                                                                                                                                                                                        SHA-256:DEE3FCC658CDB366579658BC0A9D471538393EE4CB884B8EB96147C892565569
                                                                                                                                                                                                                                        SHA-512:285541726E6127998D2E25DF182EC78ADF87B989412F817B50DB68F115A6DA3E3F5D7F652C92D07D2C3BBB0DBA28312C402090138CED0542C1768C39E2BFC07C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..19/12/2024 08:59:44 Failed to set key: RequestPermissionOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..19/12/2024 08:59:44 Failed to set key: RequirePasswordOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..19/12/2024

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):687097
                                                                                                                                                                                                                                        Entropy (8bit):7.999301462450433
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:/RXzKywF1eMeWoENSWdoY5RI+L77Abu6o9atsrK/4WUHkei7aMpOIlv2H:hzKP9oISAoYrI677AK62aGWZ7FpOIK
                                                                                                                                                                                                                                        MD5:15BE7A1225D2015FDE97B5C2BF27569E
                                                                                                                                                                                                                                        SHA1:EC3041B31C796EED9E6AC6E565FED3B5068F198A
                                                                                                                                                                                                                                        SHA-256:686058C3A01FE67FC0CB8D1E66535CFAFCFDE584D07781FEB1461618826364CA
                                                                                                                                                                                                                                        SHA-512:02B6307FDDF2D4F22567C5C7749B9ECF5BA124057360494A545BC02871558CB6FAC0224598C43E76F683C4A3C9126D62096E04D53769ADCA75DAD0416137CE85
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......@.Y..IV........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....(........j.......)..%.....Y...U..j..a.y."Dr+xC:.p...&.v..3.1/.p..{h.`B........z.W).*....s...........5.4...B..Oi}...?+Y.....*...........RO..O..'..k...<...]D..Q;M&c...>-...#F..l.....U E}......Z~y...VYc..C.......i3..O..`..}....t~...AX....Z.....4.@...'..M3.B..>Q2B...-<... }.Q....X....|..=.........Q5..6...`..;..>}..8...g..@..-4.._w.W...o.D.Il.z?.&.. .\z..v....:.....w.$G.C.G.M.fN..1`W&...zM........8m.4...R4a.+..ZS./w.Jy.Z..*.bj1.gV.[.b.,....,(oT.uY..M6~.F..O$.>.M4.....oC..uP.K*.r.C..L5@i4..NT..\{. .....).{.~........u.....V.D....~....\.UL..........^...5...MD....2.On.a-.i........X...O..#V.X.2..$.....x^[.h.b...&p.....JN..,S4O.g.n2e....*.u...".E.W..-Tc.....b....=.@...}.V....6{I....N.s.j..1.X[...`s..6^...'..jI......h...J.60.6A..#U.w._[.Q.o..^...m09A.. :.B.C>"K j.1y.>.b....b...I... ..H.H..........4..q.{.....M.D.R2..|..J.Y#.1.xIZ.u.."....,.y?h.H...0.[.y......&}.|..m..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.286030081106931
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:esXr7JfmSn0jVGcxf3KI3NjkfE53Tnz8ztFeDZUBEpYi60Cc:eOFnarB3NwfE5Dz8LEZUq76Fc
                                                                                                                                                                                                                                        MD5:6BC1A40E1C27E34FB38B1E646AAF7EE2
                                                                                                                                                                                                                                        SHA1:2B35EACC9498AB06AB46B0EB13B1F1846CF96ADC
                                                                                                                                                                                                                                        SHA-256:372204BEB17F9AF59A26C1F1CECCF313C30ACC7466F1B29B4112430BCCF48E84
                                                                                                                                                                                                                                        SHA-512:C04D75AD9F68FC669F99C35B053E74FDB9383DB6C9042619420DAD5919EC63819E7073803E072ED8B5B41CE0454A7C5BE3D81A40EBD3FCF3B073333E8BDD31E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.Zg.........."...0.............^.... ........@.. ..............................(.....`.....................................O.......`...............((........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................@.......H........C...r...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):923
                                                                                                                                                                                                                                        Entropy (8bit):5.156246271896278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:Jds4F7k1hOXrRT2/2E10PT2/+w0E1UrPT2/+7Trln:3ss757Rkqk+wik+7Nn
                                                                                                                                                                                                                                        MD5:D6FCBCF9C6ABC2F051772E7A7D5EDFD5
                                                                                                                                                                                                                                        SHA1:33D9962BCC42F021A7CEADF3D1C613B4643C66F6
                                                                                                                                                                                                                                        SHA-256:F523D40AE141AA8899B053D77117FCF50639708757AD4A050F3A11E8582A894A
                                                                                                                                                                                                                                        SHA-512:07DA40F1C43A1E35582ADE5DBBAEB47EC2922C42241BD4B950EFA76407597CF838338E27F3F5197E02F5209B27542207BEDBA9B85681955E3C326C95C1F5AC22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<runtime>....<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.....<dependentAssembly>......<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.....</dependentAssembly>....</assemblyBinding>...</runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSgUn:WBZU
                                                                                                                                                                                                                                        MD5:A68FD83B6812524BA659708B5323738E
                                                                                                                                                                                                                                        SHA1:4898AF8DDD48B89B6D0F57D08C795E477D9FBA49
                                                                                                                                                                                                                                        SHA-256:358327E0D5BF2182C61872CE9282B4257E4A2B0540D17DAA4555FA679A229B1D
                                                                                                                                                                                                                                        SHA-512:9E4B73DB126562F7A84A8FB8EC2A1654E9CD8DB6236305DC5E64F445B266545A6AA506D8C37161577AD780538697F29A96CBA3CBCC4EFD05B7BF47A1F140573B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.11

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14888
                                                                                                                                                                                                                                        Entropy (8bit):6.879305102210371
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:fC9aM0P8P2Nyby2sE9jBF6IYiYF85S35IVnxGUHFi3oCj:fC9abP8ONyb8E9VF6IYijSJIVxu9j
                                                                                                                                                                                                                                        MD5:B8414539AA307D28D54BA4DA49BAA62F
                                                                                                                                                                                                                                        SHA1:94ECC4FD997802F9DF2EE0A09185454FC072D065
                                                                                                                                                                                                                                        SHA-256:0362F585CBDF093BEA16AB56C55DF1784610EAD257BBCD4D2EB4D1DB38014627
                                                                                                                                                                                                                                        SHA-512:96CEC5DF1F3CA6ADF9B5C57893029DA46E082C9E797F7D5D369F5349412DF96F6E11084A265E7FF774BF83D537DF7C4F5AC9DF4B071EFF8012B27351D55340F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............'... ...@....... ..............................#p....`..................................'..O....@..L...............((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................'......H........ ..............................................................R.(.......s....}....*2.{....o....*6.{.....o....*BSJB............v4.0.30319......l.......#~..p...l...#Strings............#US.........#GUID...........#Blob...........W..........3..................................................................8.....@...........k.g.................................T...........].V.....V...................A.!...........H.!.1.....!.c.).........V.............8.....P ............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112680
                                                                                                                                                                                                                                        Entropy (8bit):6.177500062233969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:+tsGQngrGJbFzosIehOKHbeqRMFOblTQFHRbd6U/pC18VdUEvfkAS77S76iy:+6fBzoWtRMFOODbd6U/Y18hK77Spy
                                                                                                                                                                                                                                        MD5:6970C828E51DC263F4F14CFC9303003B
                                                                                                                                                                                                                                        SHA1:0243FF899BE76A2319521AAE08D35A1737EFF21A
                                                                                                                                                                                                                                        SHA-256:321F4FFC7E16A3B6A699F891730F5862C0933009BE5D84E510871791F15430C4
                                                                                                                                                                                                                                        SHA-512:198D41EA1CD366F9387CC7A8DBC6BFB8171845168B2120989E09E11407FCE1A7FC1B2E297105876424A3B3D380FC5B44C46ACF931DD13EB0D3A18CF1ACF821A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.Yg.........." ..0.................. ........... ..............................c.....`.....................................O.......8...............((..........|................................................ ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B.......................H...........t"...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...td...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.309788080581439
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgy:ANsii6v/HS0+OJd5gpKm76tgy
                                                                                                                                                                                                                                        MD5:4FFD20EBA9EAE8A4D71A4CCD589E39CF
                                                                                                                                                                                                                                        SHA1:D0199278A626E9D295072FA5A8582A15C7583C55
                                                                                                                                                                                                                                        SHA-256:C3A249955F2BC7809B96917A3BB5A69BB5F7A54FABC023EB9DB764CA5B7B9C5C
                                                                                                                                                                                                                                        SHA-512:991D82B4A1FF9570BCDD9C912CBCAFF8C80A94826707B2BFD8915AB3F732A6152834CF936F4D518A1D6CBA484FB48523F61536CC409B1F28F08FEB7C3C4D28C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.855499793771738
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:S1c5HLPirxWW4/wyNyb8E9VF6IYijSJIVxkAM:S1cpmPNSEpYi60E
                                                                                                                                                                                                                                        MD5:0060823775F16743AECCEB6DE4DBB8AD
                                                                                                                                                                                                                                        SHA1:3266F6FBE2E91777B51A3A40A523B5448BE5EFE5
                                                                                                                                                                                                                                        SHA-256:6188C16B6641C3D418537020382E562AC39F7B2C6599B6326EC3F9F05EF227B0
                                                                                                                                                                                                                                        SHA-512:44ECBD43A229B2554875182B7853634BE35E93F76DF3299C5539B366BBA0C2D07E3EE87634C97000C7B78C7E5451BF2D1D58E52F54F60CB7AFB047781C2B2FEE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.Zg.........."...0..............-... ...@....@.. ..............................].....`..................................,..O....@..................((...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1017
                                                                                                                                                                                                                                        Entropy (8bit):5.00184675687532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3Ar+z7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:8A743B2BAC31EB00D4BDA0EBC8DF160B
                                                                                                                                                                                                                                        SHA1:5564F6A8F02973D040E8409E21B2A18ECA2CA8EB
                                                                                                                                                                                                                                        SHA-256:31A69A6D9423CE1BCF98F5281DEB1B8F537D95609CDFA03AF9A41CBF00D1243A
                                                                                                                                                                                                                                        SHA-512:9F14C687EF076CEB4B903E2C5803DCB9401BDEADC00B0E090765E67B54E9BEEC733B087609D76C605C8485C7E446E8DB3A0D8AA3E17C969FC155F069070BB543
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13428787028244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:RjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:R+e55LgIkTmyAAfTnMLvH
                                                                                                                                                                                                                                        MD5:A3008D478A57AC234CDC253BBC7F9F60
                                                                                                                                                                                                                                        SHA1:528437D2568842658F68E92E9B27117AD4015037
                                                                                                                                                                                                                                        SHA-256:70F2CB79D3FAEFF43AFD9128D67C568FF7167C997263B7CDD13EA994DA6ED1B5
                                                                                                                                                                                                                                        SHA-512:F971495CC1469273EDB055718BEA8B8EDE6EA04214E938BE987B662E0CCDEDFBA47173593414B171351079D2DDA11C245D9042E32918A3A23949770C5FA948EC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......4....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.96056332961101
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:sBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:sBjk38WuBcAbwoA/BkjSHXP36RMGe
                                                                                                                                                                                                                                        MD5:1EA58D26DCD24816959E6B35F7BF747A
                                                                                                                                                                                                                                        SHA1:BCB4A937F206E68F4AD107E936807AAE056475BB
                                                                                                                                                                                                                                        SHA-256:2B41CB318A275CAF053ECD8A8024C6C96E1A61FB729327097938A66A222070B7
                                                                                                                                                                                                                                        SHA-512:45001B1D9FC2284BAD9DE450FD73716F882C2F7D1098FE5C8F65290147936FC57BF65CF2CE1CA404FD7125ACD2815DA196A26E097D252837C302A68572E69C3A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......&.....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.706389759512927
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Tq+stMuQM22tDNyb8E9VF6IYijSJIVxcyOI:TIMud2efEpYi60H
                                                                                                                                                                                                                                        MD5:D09D334B74989996A2955324B2B69CCF
                                                                                                                                                                                                                                        SHA1:2803A10FDC2D98E730AFA2660AA84B0F0B34F210
                                                                                                                                                                                                                                        SHA-256:96D3ED6E532DBE0759667416F92F6EFD53DB4CB681B41A1F61E1AA5D827BB43B
                                                                                                                                                                                                                                        SHA-512:C5700E8FBB525B248848B633E82920784DD0061B4789E35AD303F3017055DE42AC03188F09D1FA151CD1A3E291FA12E6BB0EFC2D947D65385E438DF64606151A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.Zg.........."...0..............4... ...@....@.. ..............................A.....`.................................d4..O....@............... ..((...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):975
                                                                                                                                                                                                                                        Entropy (8bit):5.005145470654642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsHPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3st7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:DB02B24A7803C99F651940FECBE6E283
                                                                                                                                                                                                                                        SHA1:34EF3032B61E369535658D72BCE1E9908888EA0A
                                                                                                                                                                                                                                        SHA-256:207C4D442FACD06379217DD915D85D926DD622E72F6DB5814753FD2E5F8D0048
                                                                                                                                                                                                                                        SHA-512:9C76B6E3DBB34E2729F5C0E49A2A195C87AE11916A4479676AD09EE2C182DD83F87E826BA39DDF410B99A82EF1053571AA7A1E97426D396794C6E25E066C3849
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.673416104268275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqGvg:3uhMaVmzDC6k0EpYi60wg
                                                                                                                                                                                                                                        MD5:CA1C428ADB5872777EC6A105C7D1EFF9
                                                                                                                                                                                                                                        SHA1:6C6F3452E2699E9EEA3D3F300766668359917EC9
                                                                                                                                                                                                                                        SHA-256:F08F707F9CEA7ADB4D43573533CE2CD357AC04616B47FA6D4A1A81F2EABAED6D
                                                                                                                                                                                                                                        SHA-512:4BE96D58EB63B867C99B60CC29026A5D7BD0BFBF7FAC869C6C4C5348554568B3B88448A648782481C96C303B4471941D8F597F3DFE13BE9EC63C08951117FE1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266761914470489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:iYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zRL:iKC9niwOepJ6TJPeb6NIUFg76Kz1
                                                                                                                                                                                                                                        MD5:182E1E00BDB7B16C66169A6A9342CDBD
                                                                                                                                                                                                                                        SHA1:5B25935680A57926640092EB2CB7838EE2C86F9A
                                                                                                                                                                                                                                        SHA-256:BEBE376EA2274F3723F93562A47F977EA036A719E54A35511EA7E9521F8C9E36
                                                                                                                                                                                                                                        SHA-512:95569350BA7E0EC54C067CC262C2F8E8017C9CFD1E663F0681E802FB1D4EE590CF6BA36DA8E9CE31CD5E0FB919CD3101D4F17E021D6BF25B045FE03592F91F80
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.178858736123087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:3P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJH9:3h0qjC5RMOHO420kN1W
                                                                                                                                                                                                                                        MD5:E28122AB74176E6CE6FDA6E237615B9B
                                                                                                                                                                                                                                        SHA1:36B00A7D5C91873AB0FA555DF7384498108FFF1F
                                                                                                                                                                                                                                        SHA-256:030F115AD1F8298B7F599B7399A29FB86786D99EC98F3DC33A7767DD69E0FDC6
                                                                                                                                                                                                                                        SHA-512:F054440D510DA500B42C63E4872D001DF6C3E86EE317EC8981E1B077474F9A22A13C507F1827F8F7C23A28A0EBD28CAB007DC21F415540C31DE46EDE210FDCD2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......na....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.633344050480558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:WTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF082cu:WCn6xYEpYi60k8e
                                                                                                                                                                                                                                        MD5:BEA66EB1DF29AD0860D6394CFCBF7DBC
                                                                                                                                                                                                                                        SHA1:23173D6A2BD055CCEFA3F7845478D58EFFC0B915
                                                                                                                                                                                                                                        SHA-256:D56B6020C47CE10B4030E533442CEC7DB713F19DF407F4CC8D5860AB108B7A1E
                                                                                                                                                                                                                                        SHA-512:1B8800F05729AE46AA80E1BF804AB9DA964D8B881724EC82BBB2188FF186B7E8C8891F02BB4C2DC956C1A4AC443EEBAC513AE37A604C4451BC6D8F7205417DBF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27176
                                                                                                                                                                                                                                        Entropy (8bit):6.33278245676455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:An1VM0JrpNWDcIh6leOiDFIFBYp1+yWEpYi604L:AnvXYcIh6yFIFBYpcyX76z
                                                                                                                                                                                                                                        MD5:48A2F08D9B23752C60694F6362229FEA
                                                                                                                                                                                                                                        SHA1:06AB43F0C7365676D8AA46444E9CC10351B73ED5
                                                                                                                                                                                                                                        SHA-256:16FFC7E3B4B0425EB0D9676871E068B862A5F46A235842D0669F2942B366271D
                                                                                                                                                                                                                                        SHA-512:08404FE1EBD554AAE3086A2B3E1D5D9B9F1E1E61A0E24133F4BE3EB4F134AB920B1A0AFD6967772C8FDA6D959DF8A4C030F1E68A930944ADB82D912B146CFEA1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..((..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3264797
                                                                                                                                                                                                                                        Entropy (8bit):7.999874275656608
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:wmlKzCGP3O8ZafZGor7w2Xtapa8vte3kntR0+:DnGRZafZ2ja8JnXz
                                                                                                                                                                                                                                        MD5:FF671B6085BA35E1BBEBD5D2389AB7D6
                                                                                                                                                                                                                                        SHA1:D7719A66E303C4E854FABA873B781E0084F36998
                                                                                                                                                                                                                                        SHA-256:4F2A43098F6EFF50A03FDE9E134A4C8B7DF6FE7E9A9C6913AFEEFE0DEEB1463E
                                                                                                                                                                                                                                        SHA-512:F5A63EEB6A239D7BE9935CEB1240AAE7C9F3A8D5740D665B5FDE6F28A7667FEB345F88BC440EBE7D6A0512B448F4E3772A49823BC6AD8BA7372E0A31B5F9F200
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....`mzY.W........../...AgentPackageTicketing/AgentPackageTicketing.exe....(........H........@.e....R.l....bkS.b.o.&.....7.o.....6.5|..>..B.8.+C8..*c....j0.....f)....El._..w......l.....E.R.......L....,..|.}.?.1.5z.!.......<m.~SB....G.&.....e..?..sS.E...+.^..".t....r..bPD.G.........".Na.-oN$lg>...[..u...6......R...x..C...u...Y.}.........w-|I....I}..R.\!.A`..Bw.4..(\...f38.I\g.=..Ud)..9..r5...+.p..N.T..H..O:..{8w....d.T.M...;%*..........:.Lm.rh&.j&.F...]..h..u}..&.a.#ev..5......}O.?;..xQ....\....wd...x.)...m.Wc-%..aN..%.M.-..B..4S*.....v......{.].+^{.*_..E...\I.xR...Cv.s=F.....y.g.}iE..r.X...R8..b.1.H%....f{.M....%G;?..G........... ,f.."BH...[...9....@..b.....6..8.....f...XL.K./oi.WM.OJ..e...".]] 24B..n.}..E..6~....~6....g.-........f.&T.zZ...%......^.x...Aw.0...R5-p..I9.J~.^].gj......Ok.....hP..X.c..../.o#.Fz.*..Y../.j.!....-... ...QZ....R......%e.....y...+./*^.i&."HM.v>..(......rzf..v'4...G..n..m...a.>..\..jsM...F`...X.=txRV.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33320
                                                                                                                                                                                                                                        Entropy (8bit):6.271212916167532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w2G6bukIMKWcoIQEIhL4lylU9vfWtkfoi75yHiDMMXpO64REVmiRWNyb8E9VF6Ic:VLKF6EIR4lXdIEDLmeVmiR+EpYi60Lb+
                                                                                                                                                                                                                                        MD5:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        SHA1:C22897EB20900A66CF62023C37D6A7D1192AEC3D
                                                                                                                                                                                                                                        SHA-256:0263A627BBEA55A66DEECD7A43F8537BB68B5F95BB3D4269D3E594BD1D851E64
                                                                                                                                                                                                                                        SHA-512:B56B2143A60E6153E7FB752029C72D78547D5253F32ECBD0DDA5A8ACC5C3859292E860162B11A041A37B4F618F4425484B4E2385D7E2C621C8CBCED073E3A67E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..N..........~l... ........@.. ....................................`.................................,l..O.......4............Z..((...........j............................................... ............... ..H............text....L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................`l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1537
                                                                                                                                                                                                                                        Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                        SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                        SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                        SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWB:Wo
                                                                                                                                                                                                                                        MD5:6473ED6D0D25B902FD8B7CEE34B2D260
                                                                                                                                                                                                                                        SHA1:5D0890CB19224079F6581D88C15B24E554364771
                                                                                                                                                                                                                                        SHA-256:1BEAAB7D9B210D794011D33238AA883B2A9A60FCD58A7FD6C29203289363392B
                                                                                                                                                                                                                                        SHA-512:543699EEB71F06DF84B401FC98AFB8CA6EE3A9E9D5F9B6FCCE54277CABA6CDCE100CCCFD2E310A30F274E73F2BBA161C5886D5599DEFA99CCC324540F074B265
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.179971319993443
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj769:HUpviy8UHTRxrybQgLbGm8FUpjO
                                                                                                                                                                                                                                        MD5:FD50AE7287B550575E360113077053E4
                                                                                                                                                                                                                                        SHA1:AB7C072756C7C9E6164580BA9E1E9D1E025850B5
                                                                                                                                                                                                                                        SHA-256:F3C49E6BFC2CEEDD5C3F8D5C07BB5D98E6D2DEB494B066B0878BB3B34136A140
                                                                                                                                                                                                                                        SHA-512:B833CFF36ABFFA34E0BBE8F87F63C24FE3F4F95A2D2C5C7C694F39D21B3E6761D57F68B052FB6423EA78D348214BA5F06D7BCF56F4C10355F3B088BE71D0C6DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ....................................`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.2029293745881775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhA:X9XeDmzV2yzlhKLFU1lLVp1+2flYFnQB
                                                                                                                                                                                                                                        MD5:1AE3ECAC33709823C5C63FC0EEB83C1C
                                                                                                                                                                                                                                        SHA1:68A940D985D93B5EC6BB0629278ED43100DB5C8B
                                                                                                                                                                                                                                        SHA-256:8D39FD0909B98939C03F8F364A8306B53E1AF02F6C122285EB2405E6D390F118
                                                                                                                                                                                                                                        SHA-512:9301F5C579D1B1EF6A0BDB7F29330CA8BA1C32613E9F34132D8E97D9A671FC427F98A21D3E272ACDA72D00BCBCD13F9095E7592C6F67527BE135D1B6C9AA2E15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ..............................R+....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.310987006425106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgi:GNsii6v/HS0+OJd5gpKm76tgi
                                                                                                                                                                                                                                        MD5:8A538A202FB4CC0BD0C8F6DF1B00A7ED
                                                                                                                                                                                                                                        SHA1:A0A609D7C9B4360830902BAEFB6DED9A80C68CE9
                                                                                                                                                                                                                                        SHA-256:650CAC5CAD71CD59077578A6402A829FDF1DC6542DF7C5AEAB996B65FB676BE4
                                                                                                                                                                                                                                        SHA-512:D4D1873F51064A4D151C2950C058087F0F2FEF3496C38BD5206718B74490254652C09FB683A4A8096C51DB4700F029C74DA3AEA59EC1C924E28B181912CDF140
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.6707658881278595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFx:bSJh5tIYQzT5zyF60aEpYi60f
                                                                                                                                                                                                                                        MD5:0C45A5EDD0217F927DA829BCB69B6EBC
                                                                                                                                                                                                                                        SHA1:EAFC8785985724EDE5BE9A01BAD2216EAF78D3DE
                                                                                                                                                                                                                                        SHA-256:EEA3E8AD892CC4EA203ED7C19EA2B0DCBBD415DECCCB407A38ECD785C1A97FB2
                                                                                                                                                                                                                                        SHA-512:23D958CEA8246E57DBE5CDCD7D25BF4B18900004B9364A7492B6DB754B021E91813C32FCBA89D3529503100D51C81B30C236A2D1BCE770EEE2313CC4519551E5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................s....@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219176
                                                                                                                                                                                                                                        Entropy (8bit):6.062603743526206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:zYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhl9l:zYqqbe2CSod5dtM8ww7Pz
                                                                                                                                                                                                                                        MD5:5B3A6237E3AF3C7AF02CE7F3F670D241
                                                                                                                                                                                                                                        SHA1:05E79F3693B9396B34EDEC73942A9C03951412E0
                                                                                                                                                                                                                                        SHA-256:0F7FBE7E66A78174FCD84748572C4F4A2D03BF4D14BEB2670ADCAA51661A2A8C
                                                                                                                                                                                                                                        SHA-512:1844D5FC440446875FF4ACE95D520CE2D7D0E19CE004968A19DAE4244C8CB8CEBAACD7627F406D6F54B3DC00B6DAC2E497126577C2CB496A184E58B8B6421E37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ..............................M.....@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):302120
                                                                                                                                                                                                                                        Entropy (8bit):7.17562583053395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:iVub5mx115y505H0jIfJMSFk9X0jIfJMSFk9i3:s6wJMykwwJMyki3
                                                                                                                                                                                                                                        MD5:9D2ACE1AA982BC225B578121C5C2F666
                                                                                                                                                                                                                                        SHA1:44A5F15565CAFE89AAD5AEB5AA7439AD18B70461
                                                                                                                                                                                                                                        SHA-256:66D62CA3B40E51E98FE11738E467405AA9A0BBEB14671F2FF158A830E87C6D57
                                                                                                                                                                                                                                        SHA-512:7C31721AF889403180240A9C68C1DCEEA8EB94C9C3E903CD9258E31E784AD8C62D9DDD372E78F5FB9A581DE68AAC9DCAE5C6C466894670EA27A21DAB3758C602
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .F..........." ..0..l............... ........... ...............................c....`.................................?...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B................s.......H.......$W...u..........@...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..q...(*.....q.....(+......&...*.*..........//..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432
                                                                                                                                                                                                                                        Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                        SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                        SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                        SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215080
                                                                                                                                                                                                                                        Entropy (8bit):6.030450621120585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:N1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7so:8Izm6pOIgvr7R
                                                                                                                                                                                                                                        MD5:A60919C8F8E65F7518286F804E54DB5B
                                                                                                                                                                                                                                        SHA1:9FADD4B771F00E87FF3DDD6C2B3A6FD25A1DBBF1
                                                                                                                                                                                                                                        SHA-256:FEB7575C2D9205C20A4526F60BB69CD631088927B6E58DD59AD561C792122803
                                                                                                                                                                                                                                        SHA-512:93517F2B5475BFD58986620538EF059C1532C2D653BACF8B67FF9A58D2F193F2A4A2338A27E2A0FAA51FCC88CF648BFDACAB261BA4BCF51A73BC815C83266DC8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ...............................x....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13428794433901
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvu:++e55LgIkTmyAAfTnMLvu
                                                                                                                                                                                                                                        MD5:2B53A3CD189BF49E88B602C15418EC29
                                                                                                                                                                                                                                        SHA1:FA3D80250D1F3BD34331FB6FBF7DBEEC7D50DEF7
                                                                                                                                                                                                                                        SHA-256:013A5EE19F0E3EC57CD77B7D6D85EB7C5F8CC9E631E6D04388EA83BF0F307DC8
                                                                                                                                                                                                                                        SHA-512:1221C8961F330B3F50A6DA56ACD54EDEC82E38843C3E2470DEB5F25A62E21927CEF688260221CA277C151B1C5266B841D7F1EB54EFD7C4C2036ECAD72624FDC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......`....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960710652636906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:jBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUH:jBjk38WuBcAbwoA/BkjSHXP36RMG6
                                                                                                                                                                                                                                        MD5:2E417388C1A053781655B4F14909216F
                                                                                                                                                                                                                                        SHA1:7EEA1424B92A3CDA918D9364557CEC4954397663
                                                                                                                                                                                                                                        SHA-256:C887F1417108311D77C8CF6E2DB1D95337ADE1E1BF95E0813EF5A4B8FE92110E
                                                                                                                                                                                                                                        SHA-512:472B5ADCE66638E5FB5A77D686CC0E492BF61556F6B878CFA74FE83D817B8BD057550806B504EA29A2BE91D3C8795B089DFDC83ACA8660B59DAE0180721E1E67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ....../w....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154664
                                                                                                                                                                                                                                        Entropy (8bit):5.990387112012148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Z4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3d:Z4wZywKn/U5xEwKIk0Wm
                                                                                                                                                                                                                                        MD5:B945BFFBD7FE6C1B5CD7572EB64FBE88
                                                                                                                                                                                                                                        SHA1:8FCC3551664ABB2D870DDFF456F43110BD0B8765
                                                                                                                                                                                                                                        SHA-256:55CD1DED0A3241E59E8F4DB1D97F3805C2AEA17AAB1AC070BCD7B3608201B751
                                                                                                                                                                                                                                        SHA-512:3F7B120800547C96F1C1355ECBC566984775637589D3FA26AAA7F526DF2F6ADFA670F5E17A11BA00C1E2E0ED6CFEC20BDEE7408EA9BFB1292DA84402D321C443
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ....................................@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.670013589446811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAw89:4rMcXP64LEpYi600
                                                                                                                                                                                                                                        MD5:941F9C846BA51963D7C3EA4013BBB798
                                                                                                                                                                                                                                        SHA1:BD5EC38B867EA815F89B9C097EE6CAEDED412398
                                                                                                                                                                                                                                        SHA-256:4201A3647C90EA19E6725F458C6236B5E3683D4BEC6FCBB785263DCC1E85D040
                                                                                                                                                                                                                                        SHA-512:3E2F8371ED5E19FE80D7FCCBBE17D109C684FBAC465C6BB1D3C111B31E18F29B8067A9B5BD9AE5EE2F8621DA8E6ADB397382DC4EB27D0CA37B6A1E479CDD81BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................y.....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):420392
                                                                                                                                                                                                                                        Entropy (8bit):6.10961231240474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:v5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUF1:vpjblhW1V
                                                                                                                                                                                                                                        MD5:D8C8189A5DD97106CCEBA79018923673
                                                                                                                                                                                                                                        SHA1:007AA2E568044189342BD978402651407B2A48A3
                                                                                                                                                                                                                                        SHA-256:C84CA9E85E70A5E633154275FBA1A493CF6BF69B5E6004004A957675C750B56C
                                                                                                                                                                                                                                        SHA-512:3B47301F035FF31CA9B2B2E516DFDFC9BCE210245BA7F1488BD19432100936B959182FE4C29109D962ABA133C6B2010BDCFA5CF70678FAF928F914E370C66BCB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ...............................S....`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266720718777246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:FYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zlDW:FKC9niwOepJ6TJPeb6NIUFg76KzI
                                                                                                                                                                                                                                        MD5:54BA7A33F778C14C858F8478AA7CE11F
                                                                                                                                                                                                                                        SHA1:287A7666FE9DE62906A17853AF367E9C280EE047
                                                                                                                                                                                                                                        SHA-256:81242FBCCD00F783E4CB57D7A77720E0D361609B9E3443F1F4FBD53549180CF5
                                                                                                                                                                                                                                        SHA-512:7582EE39AF42C9C8355B4A66C299A6F51061C5ADE5CBFA2A0DA07D8D3898E30A227CFAFA976630D8EDE2638F48E63E2D8A4150E9CB4C6CCD94315094EAA62B7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.160884096361585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqk:2BFd3/aFs2x
                                                                                                                                                                                                                                        MD5:7B46A38CB34CF7129A501D114EED91A7
                                                                                                                                                                                                                                        SHA1:FE284056CDF1079D4AA46EFA0EEA09DC158671D8
                                                                                                                                                                                                                                        SHA-256:0AEDF8E33279A9A9F026EF5000919A1BA38F105B0C3CEE7F6AC3628E1CE441EC
                                                                                                                                                                                                                                        SHA-512:B16BE5B7DFAE0AE5455976B0353D7368FBB080BA4DC85CA4FD56FA01C64DE5E7572196A16992C259C1442EA2D30F212E8D08F7D8F258ADACFBF9D3014CFC2394
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.510686089319165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76k:gWw0SUUKBM8aOUiiGw7qa9tK/Yb/
                                                                                                                                                                                                                                        MD5:0AFC00C0FABFB019074DA907FE70317A
                                                                                                                                                                                                                                        SHA1:B6F8FA76424F44B0EA2FB54A17C84628CDB9B22C
                                                                                                                                                                                                                                        SHA-256:75D8D4D4C7FDCDABC5FBFF18935783A23E0951897B9990339C1B2ECA82F90BAE
                                                                                                                                                                                                                                        SHA-512:43563466B6A356B70717CA53C71D33165B646CA3C6E5771BEFBD08DBA611E791690A0BCEF6F9B3F773265C5C0177BF723046D05C7B18999D0F59C6797D55B8E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................B.....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.673799804528098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/h06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeB1evuWj:/y9gpEpYi60A8
                                                                                                                                                                                                                                        MD5:3699832767ACE8B12E18E10C5ED33469
                                                                                                                                                                                                                                        SHA1:1500E3F31786CB63AB2D5FCD71542D24829B9C6A
                                                                                                                                                                                                                                        SHA-256:FA9B02A2EDB45564D38EAEC7C85AAE9B2B6D6A04BA32FEAA771C0812DC85EE79
                                                                                                                                                                                                                                        SHA-512:2FC97EC4F1FA5486C98FBFF3612BE4AA43D774BC5CD961AB7036F3AB067E4771DEA73FDA22B191B65B3362196FC958FBF1279B2BC4A5D4C1346335D30A5BC333
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19496
                                                                                                                                                                                                                                        Entropy (8bit):6.524234329265897
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LyPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFZJr:LWs6oqDjADKeDa5EpYi609r
                                                                                                                                                                                                                                        MD5:84E608824D1DE2D0CC7B3C7072F86CAE
                                                                                                                                                                                                                                        SHA1:57A2B02945E478CBC0EA3DBC7CF4041762718EB1
                                                                                                                                                                                                                                        SHA-256:D2163CA69AA96A2DD6277CDF6BB1990758C677EF7259255995E448F18E1ACA99
                                                                                                                                                                                                                                        SHA-512:09E53F0546218D07C79E8436504097176910A909DD39814A062F19522B33334754F8BAC9F2BB03AC785B9E2463F3E24C12376A601642BC83BCE26D285AE19738
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ...................................@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41512
                                                                                                                                                                                                                                        Entropy (8bit):6.409217717758582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ljfAw5tisN7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjxFUNyb8E9VF6IYijW:lksN74GX7nwOa5VS2ozdxFUEpYi60SXr
                                                                                                                                                                                                                                        MD5:5E0E85A164AA504598B5121AE6B33F4F
                                                                                                                                                                                                                                        SHA1:C2372406F7131D72376CA55B28788049A6FE8EB6
                                                                                                                                                                                                                                        SHA-256:DE2BE1CFE0E784D1FA5FAAF35C6671EA8FE50DC261562570415374DC75D77FB7
                                                                                                                                                                                                                                        SHA-512:3B19E86CCDAEB4F5F4ABDF32EAC26708C2B01C6D6DBABCE318E31C0E882C086DB6E76730DE4853302D768E2F4FBB0457347BA4D5642EBB512F14A4563D9B7AF4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..n..........r.... ........@.. ...............................@....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):78888
                                                                                                                                                                                                                                        Entropy (8bit):6.0692535230722235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:r7gzIBxkogIFNU1vTGGsUTcvMOkrIB76hB:rRBxnP25sUTcvwrIBk
                                                                                                                                                                                                                                        MD5:A9F0A629B9676577360E342A81A995AC
                                                                                                                                                                                                                                        SHA1:1877BB7196654D65EB536CF5785F9EA45C92C2CD
                                                                                                                                                                                                                                        SHA-256:01E666A5B281C046830567860D3BBB7BF7FA57A991937BAE0F0F229ABCE0CDAF
                                                                                                                                                                                                                                        SHA-512:34FF88D512AA26332F3497173217E2070F245E132C9ED66EE07F97CBCA0CB3BB133831E2B12AE8472240175BF0C60DCD4A30B83864AEDF505C1D7CEFEDAC16CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3./..........." ..0.............>!... ...@....... ..............................VC....`.................................. ..O....@..................((...`......4 ..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H........X..h............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.k...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                        SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                        SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                        SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59944
                                                                                                                                                                                                                                        Entropy (8bit):6.132505617622881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:56O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60B:56O4JuxnT+UuLMcBClyrvGGa76w
                                                                                                                                                                                                                                        MD5:80D52CC0CA6E0A24C65C0EC6E1D04245
                                                                                                                                                                                                                                        SHA1:1A364154797C2F233111CA4E431CD5F169BCC5C6
                                                                                                                                                                                                                                        SHA-256:A6CD8C4F007327C2B3E5E9772C086139FE7C0208BB17FDFC63B78FC7C639DF77
                                                                                                                                                                                                                                        SHA-512:16E0E7013DA0059137C4CF0436694EBEB98377F1870E976A108DD22F37B6C73033C38722103DBD97F0AC12DA99E31D51B7114B9F7E70FA56F11A1F29B6EC40A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... .......s....`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1191
                                                                                                                                                                                                                                        Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                        MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                        SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                        SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                        SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23080
                                                                                                                                                                                                                                        Entropy (8bit):6.500983361117223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ALOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyyNllq:AnMTR0Pa25EpYi60tlq
                                                                                                                                                                                                                                        MD5:677BF5CBCE3B4A8E2B35714DB3EC89D4
                                                                                                                                                                                                                                        SHA1:6317DA7E6DC45CDCE30BCC1AE8FA9DF391B954BB
                                                                                                                                                                                                                                        SHA-256:E10B0E751A752F746305959D765E649BD49B73670BECE4DA5C9ACA549B2E8A08
                                                                                                                                                                                                                                        SHA-512:A80A740E0F314F8A44B6698BDD0465C511140796BEE87990695C61F88A45C5A4290B141D1606447D539E7F18784972AC787B73679AE68A79E46C056FA0C78FBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ...............................S....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1817640
                                                                                                                                                                                                                                        Entropy (8bit):6.551345291101956
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:B9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP4:B9Nzm31PMo4
                                                                                                                                                                                                                                        MD5:1CDFFBCDDE48DD0DF288177F4A36E201
                                                                                                                                                                                                                                        SHA1:70F1740086944DC3551401C54834746BC88B4FB3
                                                                                                                                                                                                                                        SHA-256:FBC738BCA1208ECB4FE086F0C100B746644375BC838CF925DE0AADCB9A0DAEEE
                                                                                                                                                                                                                                        SHA-512:D3903FA3A98F8DDD34C39C9A091285E343AB8FD961EEF130926E2B4E165398263D45D7127DB6E6450560F3CB91A239A39DACB4B8DB2787762E17666DB7AF1B2D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." .................................................................P....`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436200
                                                                                                                                                                                                                                        Entropy (8bit):6.781311333719278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Ls5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsZ:WlI+vIjE7mjOuKa8Riy+gvhaIn2+0+
                                                                                                                                                                                                                                        MD5:F31A6B9883F1835F9FB5CB9FB3B877E4
                                                                                                                                                                                                                                        SHA1:2C1DCF590151D9EEE2E34C78C9A9D6AE1517C3C1
                                                                                                                                                                                                                                        SHA-256:B06ABD1357A5D0111C380520A29E93D648632F240090756C61FE9BE9B518B02D
                                                                                                                                                                                                                                        SHA-512:171F9DC37C29508AF911764530286B2AA19731820F0C39B34F063B0E4C4EF16B501763BD32BA2C126CCEF88F89E3140D26A73B67C54AF1036E14049D95CC94F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):584433
                                                                                                                                                                                                                                        Entropy (8bit):7.9996007806235445
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:AaPKah+cOqB7YBiq57hmRYB2Vb7mde3FV/ruWIwUhA2yaJ4Gi1Cx/cL:xiBiqIYQF7/7ruQWA2Xxi1wS
                                                                                                                                                                                                                                        MD5:B50834694383960830CF48D9836E1108
                                                                                                                                                                                                                                        SHA1:ADC80813181B98A8296BEFA2960A55F939F3BFEE
                                                                                                                                                                                                                                        SHA-256:370A259808052366888284B0CC4C91FF8F23E8008003959B8D0EFB1ADBF00CD6
                                                                                                                                                                                                                                        SHA-512:F87BE933E87275B000BE031AA5DF7536DFD5FE9B99A607CE0904F206E074D3A0687A00654B9B78EDAA2FCCF3D30526E0EE5BD7DCBA4A5DAAFD6FC60EEAAA15C5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......FgY...........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....(.......ch......75d..........z..L.....5...*...S.'.?...h.6..Eo....."y......5...z_...y..&....L..ZZ6.....=U...f...JYj......../..~.%......1,=....,.J....eG.=.i..G..I ..6m~.GO...............E,._&;>o.........{....@..Z.S......]....HS..TW...b...#Rh..H...p.|.A_..Q..NZ4`3a.....DE[.!.7.!.......@..]..ja..P.)..C...!g..UUG.........../..uW.&...!g..G.kv.z]C.-..p.....J..j.1".M..Wt.-x_.....&.g.k....Dc.}$".M....=..:......X?..i.peV..'.."-....e)0..'..D....v...1..1..g..X[...`....y....a...R...BE..:!.%{...v.:.K.#h.u..W..L.l..:.M..DXd.&.}......$.........:....D|t3......Q...&.".3>.@.....H.^.@..2. ..../.Y.............np....G.GU\......6.]i(.E).Z?yj..?V.Q.Q2.. ..q .Z4HN...W......G_.E*v3 ...A...4.....r...z..r..3~..i^..Qvj.:O*:.....+...>s&H.d..sF....V.8.~.'*......6..i......<....ol.($....8.E..s.....6...]WF!]P.I...\/..$....Q.4...r.b4S.Z.$..h....Y..5....v..n.2.K.w......(..?.UH..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57896
                                                                                                                                                                                                                                        Entropy (8bit):5.807323990997079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rNvSjQvTQYc1IY1OwcujXQft0k5df9bq76In:rRSjQvMYcSIJcuMftH5d1bqL
                                                                                                                                                                                                                                        MD5:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        SHA1:293CAE66CEDBC7385CD49819587D3D5A61629422
                                                                                                                                                                                                                                        SHA-256:0568E0D210DE9B344F9CE278291ACB32106D8425BDD467998502C1A56AC92443
                                                                                                                                                                                                                                        SHA-512:1A3C15E18557A14F0DF067478F683E8B527469126792FAE7B78361DAD29317FF7B9D307B5A35E303487E2479D34830AA7E894F2906EFFF046436428ADA9A4534
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g.........."...0.................. ........@.. ....................... ...........`.................................<...O.......x...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................p.......H........X...s...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):535
                                                                                                                                                                                                                                        Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                        SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                        SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                        SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                        MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                        SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                        SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                        SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.179305078416296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762y9:nQUm2H5KTfOLgxFJjE50vksVUfPvO1c9
                                                                                                                                                                                                                                        MD5:BE16D0F73D33053C3817894C955BFA43
                                                                                                                                                                                                                                        SHA1:6B79C7034EE0E4DBC4B90ADC3B47BF395CAE052D
                                                                                                                                                                                                                                        SHA-256:434EA180FF3960ADF251CF34B8333A1BD70EAA7BDF42279317F2ECD7B7CCEAEB
                                                                                                                                                                                                                                        SHA-512:6F08EC35E1D194328CD923FC22C6BBAFB072497ABA03DAC59F8E78C99D2CC3C87237CC5178CFEBA52078AC729286B8221FD7A8CD676A5A49D2879C553DAB332A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186408
                                                                                                                                                                                                                                        Entropy (8bit):5.933461189028906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mkfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFxYV:g+c7b1W4R6joxfQ8Y
                                                                                                                                                                                                                                        MD5:7989DFD7A0AF54F59AD5C3E483A66CF6
                                                                                                                                                                                                                                        SHA1:4F323F2E5174A789A31068DD76355447DB61AFFB
                                                                                                                                                                                                                                        SHA-256:0E47E3F0432060BAE79988A622AAB4334328F85FE443D764D4C81D94C9F3DBAE
                                                                                                                                                                                                                                        SHA-512:757182DF2492B66E06AA3B1854DAB487BB512FC5FBCE869CA4265218F5889D2D5B3748C2FC5B458FA148D10F3F5B61028DCA9B789F6766689BA1A24E9BE06936
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ..............................,Q....@.................................,...O.......................((........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168523582236471
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ZBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTk:ZDMUWITZznu85k8Wdn8KmCjIFi3VvY
                                                                                                                                                                                                                                        MD5:41E6FC15337B1F2F556E3DE56D0DB476
                                                                                                                                                                                                                                        SHA1:EF8EAAC6EF9B00383B48762773A5110D7C2F3EEA
                                                                                                                                                                                                                                        SHA-256:81D43F8C0726143F28A33390B78E540C75F48733C3518B9D605C2E52AC0554C4
                                                                                                                                                                                                                                        SHA-512:56956F6BBB56BF481B1434ADC0D37303065206FC4ECA8787B6EC8CD089D7C619875C62BBD282F5F0D9A69820937651968CC343CF5AE251B08345997BDD0555C7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......f.....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960700401761297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:NBjk38WuBcAbwoA/BkjSHXP36RMG+
                                                                                                                                                                                                                                        MD5:2CFBB3EA34E3EAEFB478A1C0BF00190D
                                                                                                                                                                                                                                        SHA1:A9298FD5C46D97C296E06B9D9D4034C2EC657D57
                                                                                                                                                                                                                                        SHA-256:34FFBC77AEA4058D6B4EF621815B5C56EDD35585888FBCC2DE10E7B176EE3A3A
                                                                                                                                                                                                                                        SHA-512:DA46D62BB6466E9B8DF21E75C594C06CBF3D79C8FE6038469B74F6562CCA9B38A482F386034F7B3C0D9DEEA6C5D0420AFE0EA08E59B1BBDA1C07B866D9F0B352
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......r....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55848
                                                                                                                                                                                                                                        Entropy (8bit):6.238377987704794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:SREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpxDEpYi60WLS:SR8+5k15z0WBZEtgwJx876FG
                                                                                                                                                                                                                                        MD5:2FB2CD6CC7C0B40202165C2ACF27F3FC
                                                                                                                                                                                                                                        SHA1:D3125C28C46AD0083EA1EB65EAE6FA077908D985
                                                                                                                                                                                                                                        SHA-256:4E83AE51D18FABA26E8B1315C199AF46DF7A1AFB18390DB30337679DF54A7812
                                                                                                                                                                                                                                        SHA-512:C84CB5DE47798E6F0459BE87BCBA514FC14531F361909A2B81CFD6B477206B75C9F0F338C1477BF9A87BB7D08ACFEB99342EC5C9F1535F510BE742A27B5ED099
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......s.....`.................................P...O.......H...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):257
                                                                                                                                                                                                                                        Entropy (8bit):5.187102765808569
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:A9l5mzM9w3pKFSQwskIXAWiX+Rr4u4vDE7su3DX:C5mzLMSQwskIXA7K4P7E7s0X
                                                                                                                                                                                                                                        MD5:F880694FD085C3B4999FD5B736BD811D
                                                                                                                                                                                                                                        SHA1:2994B001869E6E1309F2C52293718F0F51C1DD92
                                                                                                                                                                                                                                        SHA-256:AA8C39013485EDBC6EB8BAA05872DD82A596D4DB3EECBC544DD2B0259D13EE8C
                                                                                                                                                                                                                                        SHA-512:A198FE7654593FEF54AABB04579A2DAC373A8E692C8CD2109DD3838B9F83525A45CC447704C68057CF741C5FB63D443264E1CABED446E3527844AF5DB9E121D7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=administrativo@viacolor.com.br /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000OagB2IAJ /AgentId=b4e82e32-b266-4530-919e-fe1de1f98e09.19/12/2024 08:59:14 Trace Starting..19/12/2024 08:59:37 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178
                                                                                                                                                                                                                                        Entropy (8bit):5.2466620139778595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:5PbTsP0ykItccU3cjxi/z3sOrc6UgMHDxZfgLPbW+uUomshTufrsf3J2MzqRI+OS:RbT+kIWl3cjxi/AEcRgMHDrfMmUOhTuj
                                                                                                                                                                                                                                        MD5:28CA163309DE9EB3AE832B33696CDCCF
                                                                                                                                                                                                                                        SHA1:470E0031D4B23640F844F8386C3337FB4CFD4D93
                                                                                                                                                                                                                                        SHA-256:5576700AD2366392CA2D3D7B5EA7687AB9C4FB92348421DC97DB063E5FFB8FA9
                                                                                                                                                                                                                                        SHA-512:9F821980E0442881A38CEC3ED33A0ADE8ECD7DFC121063B7C4ADE81BC9CAFC7780C2CE27F7926C3A58C40BFC46DFF6CABB04C7DC6153550DB8E297510D1EE3F5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:eyJJZCI6IjQ1NjUwYmQ1LWNmNTktNDg0Yy1iNmI2LTAxMmM5Y2MzMzYxYiIsIkNyZWF0ZWQiOiIyMDI0LTEyLTE5VDA5OjAwOjI1Ljc2NTA1MzktMDU6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):257
                                                                                                                                                                                                                                        Entropy (8bit):5.187102765808569
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:A9l5mzM9w3pKFSQwskIXAWiX+Rr4u4vDE7su3DX:C5mzLMSQwskIXA7K4P7E7s0X
                                                                                                                                                                                                                                        MD5:F880694FD085C3B4999FD5B736BD811D
                                                                                                                                                                                                                                        SHA1:2994B001869E6E1309F2C52293718F0F51C1DD92
                                                                                                                                                                                                                                        SHA-256:AA8C39013485EDBC6EB8BAA05872DD82A596D4DB3EECBC544DD2B0259D13EE8C
                                                                                                                                                                                                                                        SHA-512:A198FE7654593FEF54AABB04579A2DAC373A8E692C8CD2109DD3838B9F83525A45CC447704C68057CF741C5FB63D443264E1CABED446E3527844AF5DB9E121D7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=administrativo@viacolor.com.br /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000OagB2IAJ /AgentId=b4e82e32-b266-4530-919e-fe1de1f98e09.19/12/2024 08:59:14 Trace Starting..19/12/2024 08:59:37 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\Installer\4f2990.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.8786630833471385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:2+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:2+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:69A1CA360930E2D7E7E11FE55CDD5120
                                                                                                                                                                                                                                        SHA1:04F37A7B9C2033E529074F4FFD4883E00746CDCB
                                                                                                                                                                                                                                        SHA-256:DA82405461EA618B47CB324573FCF7C778CA56AD34ADA7529B520F0AB51C3A5D
                                                                                                                                                                                                                                        SHA-512:74C1EE8EE9E80F660DE6D36C0FFBEFA89D1142A0B8D2D1B70DD280900752B824A996AA0875509C8EAACD9B1C4F85C427F7DBAA8FCFD3ADF1C5E7022AD99F1821
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4f2992.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.8786630833471385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:2+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:2+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:69A1CA360930E2D7E7E11FE55CDD5120
                                                                                                                                                                                                                                        SHA1:04F37A7B9C2033E529074F4FFD4883E00746CDCB
                                                                                                                                                                                                                                        SHA-256:DA82405461EA618B47CB324573FCF7C778CA56AD34ADA7529B520F0AB51C3A5D
                                                                                                                                                                                                                                        SHA-512:74C1EE8EE9E80F660DE6D36C0FFBEFA89D1142A0B8D2D1B70DD280900752B824A996AA0875509C8EAACD9B1C4F85C427F7DBAA8FCFD3ADF1C5E7022AD99F1821
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4f2993.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\4f299f.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2AF7.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2AF7.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2AF7.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2AF7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2AF7.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2AF7.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E63.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2E63.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E63.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E63.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E63.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2E63.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI499D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI499D.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI499D.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI499D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI499D.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI499D.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4BC1.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437320
                                                                                                                                                                                                                                        Entropy (8bit):6.648054158147075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Ft3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Ksh:LzOE2Z34KGzOE2Z34K2
                                                                                                                                                                                                                                        MD5:0839BBC18282E6A7608007D83C537B24
                                                                                                                                                                                                                                        SHA1:68AC3A34BE2617A0B0939438C48D3CC1A309FD92
                                                                                                                                                                                                                                        SHA-256:77D88A227E678AA81216C3088B3F7E1D17E80C866B013B02871C54B6960B6E2C
                                                                                                                                                                                                                                        SHA-512:1B470B118C669FF94A436C4AEB26528127AA8794852E8807F8B9245F8D100B163AC26F47B3CA4782567BCE4D1B1201F7FE3CEEE1BDF65D72E636772EF6BBB6B5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI4BC1.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@eG.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4BC2.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4C40.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4D4B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68F2.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI68F2.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68F2.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68F2.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68F2.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68F2.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7561.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI7561.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7561.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7561.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7561.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7561.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7D32.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8988.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI94D3.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435961
                                                                                                                                                                                                                                        Entropy (8bit):6.6514602220491215
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:gt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:YzOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                        MD5:798B5FEC7C92CF6475150E68BDBCE240
                                                                                                                                                                                                                                        SHA1:8AE244045CF7EA4EC8D79466B6D02DED8CDB6ADB
                                                                                                                                                                                                                                        SHA-256:4A898DFDE70242D2CB22148CA7761CF03B633D67153AF5C4C54ED447215BD0DD
                                                                                                                                                                                                                                        SHA-512:3CD41A55F8E2636FCB537FE7009F66D31EDA7D0EA9FD017E24CE6623229A9D750B900692E252AD269427621FFDEE4BF86328F803CA7B6349BCE559617B909DB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI94D3.tmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI94D3.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.H.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI9551.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI968B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI96F9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAE1C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437217
                                                                                                                                                                                                                                        Entropy (8bit):6.647806615225563
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Pt3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4KsS:1zOE2Z34K+zOE2Z34KT
                                                                                                                                                                                                                                        MD5:ED0035863F1184821AD2D6237E61AF17
                                                                                                                                                                                                                                        SHA1:1E8FE43E2654DBEF40C656EEF386FC1C2850BAD3
                                                                                                                                                                                                                                        SHA-256:8D6BF1728E60702E8C315937A815BF0576C60D3C10AEF778D4577C6ED59C90C9
                                                                                                                                                                                                                                        SHA-512:2FBF0D0494459170D3EA33ABB604ED0C9FDBC5C5C9B28C052AD2B20CA9754CF219A55D42EEB70E90F2FB547AF57529418DFF53505AB40E39B76ED87781745FF0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIAE1C.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.H.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAE2D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIAECA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB042.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB6DA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1727277438657633
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fj9AGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:JjQI5wBTr/F
                                                                                                                                                                                                                                        MD5:24A2E924725C51831B39E0A77EB3AB0D
                                                                                                                                                                                                                                        SHA1:10E619A0A61A4D6505D09051471AE02BFF8A4304
                                                                                                                                                                                                                                        SHA-256:440F2614F48D673FB1E63E0DBE7678E4C6D067934FCED86DD23AE1678AB9E515
                                                                                                                                                                                                                                        SHA-512:CFDF32CBA3619B536CD61CE83ADABFE04D5CE43B059163948B0A1C0D5179470446F9306DC2F219A79BA9E27922B911C3258D713FFE49D460988A48755BA44FD7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.162222733360783
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjzZAGiLIlHVRpMh/7777777777777777777777777vDHFQbhlp3Xl0i8Q:JjQI5cIb6F
                                                                                                                                                                                                                                        MD5:868C76640A5029BE6747CF0DC80AC451
                                                                                                                                                                                                                                        SHA1:1BF79F39D931EFBF69DDD44D2E8D67E23FFB899E
                                                                                                                                                                                                                                        SHA-256:BD388BA931EA10C6AC4ADB98C9754BCEE1921532F56B274AA19383D45DCF0536
                                                                                                                                                                                                                                        SHA-512:B4204D90DE97EE234ABD73B818A4CCAA668BC1B9AA2502EA1E9398245434DC153EE0B9BDBD69E36170F1BB7893136A26A2A7A6531B91034995BD6B2619DA1BE7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6209079653731067
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:b8PhPuRc06WXJEFT5BUDWaqISoedvPdvbCnuhnq9nnaPdStedvPdvxubS:ChP1HFT/UD+IciuBunaF4
                                                                                                                                                                                                                                        MD5:C2B46DE621466C6178C4E749A4EDF577
                                                                                                                                                                                                                                        SHA1:085F34736AA565AE50B1059B5A75F4593827161E
                                                                                                                                                                                                                                        SHA-256:428C468548E466D64D3203C9FB9C670E87E4F3AF0A3461E76405801C7802202D
                                                                                                                                                                                                                                        SHA-512:695686B50524F17994BBE68E6BF22374EBC90B1FBEC45C30D40EAFEB9CC9268A7D10312AAB190B50A66A206DFB67EEB657C61B991E78F456468B9DA9C60C55EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):364484
                                                                                                                                                                                                                                        Entropy (8bit):5.365517772696625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauB:zTtbmkExhMJCIpEi
                                                                                                                                                                                                                                        MD5:40066C04D1DB2F83A4700B1C8724E7F7
                                                                                                                                                                                                                                        SHA1:579DDA4F8FAD8749E588CE470BA37E2026E377CF
                                                                                                                                                                                                                                        SHA-256:670DEC9952A01B7872DAE475932FA5066DB49804B392CE591B43A5B5AA097376
                                                                                                                                                                                                                                        SHA-512:C74E0DB908C145385362B93A05CB51A90D1C7D059768369BFEEA8BF053BBF72F83047D1288EF02B130F3D7EC1720B13C6331E51CB404D0786B359D4754EAD2E2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4761
                                                                                                                                                                                                                                        Entropy (8bit):7.945585251880973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                                                                                                                                                                                                        MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                                                                                                                                                                                                        SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                                                                                                                                                                                                        SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                                                                                                                                                                                                        SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                        Entropy (8bit):7.143638826157143
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JyYOv5GLsHmK3AEUxWUWhsCgcYdAcPsvh:JROvILstgn2g8h
                                                                                                                                                                                                                                        MD5:998719C21776CA4295A5C19B91F6D213
                                                                                                                                                                                                                                        SHA1:52FC7E25E7D5CD3B922E889A0E7BA71662F1ADA7
                                                                                                                                                                                                                                        SHA-256:DAA81743ACAEB73A7601AC4DE5E8F34D84BF73386FB2A549FCF700296FC68A9C
                                                                                                                                                                                                                                        SHA-512:3F1248E624C46FCDAE6DC0C2D8F08E98D04279E3E27B7E8B103A5DA8BAF3BC77EFB146BAD4EB5BD5BCC0EB7077735433EDD1D30C2E5038EC86C50CE5EB3EDD9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241218190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241218190516Z....20241225190516Z0...*.H.............F.=.o...q...%.. ..I.....h........r(.*}....W..........=....o.;f...SSEb3m+...O....|.0$...Q.I_..5...FN8S!C^|9.....H.....f..r.......vZ;....h.S.....[....kC.|.i./5.!..)..5.sv.C.J.....4..=..R...Ka,d..>...3...+.[..c.1r|'.:H.iK9A.8...........w......)r..)m.R...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.582794108640658
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq9yvnG5h44TUqeqx2qjUKZfJ2UUYInM9kDmcdFmaKyb3WnOGHGbI5pasMm5J:5NnGoqv2YUKyUymcTmaKWGnlHGbIX3NT
                                                                                                                                                                                                                                        MD5:A474ABDFA740E2018BF0BBCF880FAFD4
                                                                                                                                                                                                                                        SHA1:0745C1243245159D9294508F81F4427B09149B5A
                                                                                                                                                                                                                                        SHA-256:9FEDC8A34A2BB292AD1C5418BC6EEFC9C0476C72C3C2C32F81662A972F58CB2F
                                                                                                                                                                                                                                        SHA-512:745EDE16D016B39FAD01579658878E2C94F5AADAF747A88CE8BFECE9FC3AEB46879A0C978A54EF3E769CAFCB0EE08D5C38B740134FC77EC9EDC9503C350C25C3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241218213720Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241218212102Z....20241225202102Z0...*.H.............F....w.v...\.*E`=a'......?...<sg.6...D.....N...j<UG...nE...l/.;B.Q@.l|..$....#N.\.s..J?Y.&bnP..2....c.NF.....f.`...C..t<...T.K.. ..}...p.w.j...........MG...7..f...*.8.\...........hQ.HKkC.6.X$..aRZ..~...G..;.....!..r~l.Q'h...,...mO..3....h.....".n.....T..?...n........B...s*....*....N.U.j.4.T..q`.?.......]Lce...WI...a_g.......$..;.x.".$...YO....G.]......l....L!.bX}.... .O.&..GD.....DwE..u>.fY/.......McZn.o..'..7~W........yvX%..%Z.....J..]..>..0L.q..../k...g...|./.]<@.OJ_[..U.<

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.622137594391479
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZbj/c5RlRtBfQtj/2s/yXRkux7upVg7vbV8E7uItc1sI3StgTMHbSa1ymnAf:5iZj/cdZYj/2lXRk+7uDQiEgeI3SGTi4
                                                                                                                                                                                                                                        MD5:6E8ABCFDE63A04D6C0F7FAE95D6F98A8
                                                                                                                                                                                                                                        SHA1:D8C3BD8E7A0D18FD4435A0842DC1F4FC4B76F367
                                                                                                                                                                                                                                        SHA-256:25F012AE852B065244E4312AD1DD00DFB30B151C2CDF97024D49665A04D9EF2D
                                                                                                                                                                                                                                        SHA-512:4577C8E553D326B1A1C4F93CB6A8DD40486F8D9CAD3009FD8A2006F4749667DD10999AE198AA9E37569A8E88F3B5D28819872F7E572A5B4CCC05EAFB0CD1942F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241218184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241218184215Z....20241225184215Z0...*.H.................M.........Aq..&.......IqUb...D.VR.....G>.R0..T..{..e...6.$=B..SX......V....?...Q.9(...................x.r..s....%[....`.o.i.. .v.....g .V...E1...........}..........1.....".E...J..H..4......<.z..i.;...mat ..F..EM.G..w+k.7'.)|...8....f\....~...A.=..d<..K.......IY..."u.....s.Y.#..nJ.ct..31Y....k*.Q.#:i..y.U.7.......s..lG..$.s..y.GY.l.%~g...<..L.M...8.h...%.r.....k...YZ0\.Sj.n.o..UIB..fet.qT.%S..(..*.......@>..d".z4.;.....p..]j+a....X..($b...K&..O`....Q.;-...{.?.|...5vc.B1.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):340
                                                                                                                                                                                                                                        Entropy (8bit):3.252926296396442
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKbnlU5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:LlrLkPlE99SCQl2DUeXJlOA
                                                                                                                                                                                                                                        MD5:015385DF6008A3C77241F844A65DE9C2
                                                                                                                                                                                                                                        SHA1:4377A3F4584230927EB0859DB9170CD6FF7F0FD0
                                                                                                                                                                                                                                        SHA-256:34F8D9C25E3018C4BD9EBB4E9DBCB4924570DDB06D2DD39A216F1E3F37ED8AF1
                                                                                                                                                                                                                                        SHA-512:D776EBE1D64F951CF02EE3FA65A86F6A42F231D0E5EA6A59DBE60FA1FCCC55D55855734D6BDAA9D8249558613D33E7190B01FD3958B94270DEFB6621C584899A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........P...R..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                        Entropy (8bit):3.93267226324866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK/hf0XdavtllXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:hf0yjmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                        MD5:28D126DF1206D48CE557C8E6FB6CCF85
                                                                                                                                                                                                                                        SHA1:632A124BDAC9F9CF92E2A5CAFC6E2C544FE966AD
                                                                                                                                                                                                                                        SHA-256:15A049B4F2DFD830346BFB76E0859D285A2B060A31031CF0EE64C95652BF50E3
                                                                                                                                                                                                                                        SHA-512:FECBC7685E1B5971AFFA0AA5F5AB688DED2E60B263E35D647416C513D65705541E5B0F8E8D5DA7D34391F7895647DACB5601A11155DF271409064A95B7644AA4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ..........A.R..(................>...Q...~...V...................~...V.. ........q...R.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                        Entropy (8bit):3.9412278468417568
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK31U7BXRXzEpyfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSd:t8p9mxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                        MD5:182B53A9F8D703DFD558EDD06CB609F5
                                                                                                                                                                                                                                        SHA1:20CB65A6CCAABDDDB48D9EB6717CB475363AD889
                                                                                                                                                                                                                                        SHA-256:23AC5D602387398FB63F59322D3E79B7819FFDD799E556EC83B2F1EEDEE474D4
                                                                                                                                                                                                                                        SHA-512:4A8434D1728CFB775DBDBBDAFAB7D7350A7AFD579D189783A04647B0BE7BED2B2DAD0F7265B31531B713B4FE91430AD984BF2B67E69C580B114B5C3385077331
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .... ......."R..(................3D..Q....d..W....................d..W.. .........=..R.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                        Entropy (8bit):3.206650934253046
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKD7nzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:77StWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                        MD5:C57E83ACACBD15BE71D8AF55A7983EED
                                                                                                                                                                                                                                        SHA1:21C224B87E370274B1705A2A6C775883E7C376F1
                                                                                                                                                                                                                                        SHA-256:DEBAD60E71CC6D3780B8C50A4B1D01FEAA62018C542AE1BDD30AC9A19369FE70
                                                                                                                                                                                                                                        SHA-512:B5BB5621ED73CDDB89F9E676BE73207B926F49217A75B253E6E730331F7F00E8E6833D8DE96B28BF8B395B2DA4C8D47776B56272743C4C086513700153CDA39B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .........QJ."R..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):4.003497033386128
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:UnBMw+kK5lQmxMiv8sFBSfamB3rbFURMOlAkr:GK7Qmxxv7Sf13rbQJr
                                                                                                                                                                                                                                        MD5:B59633D8A604B3B37C769B11DDEDAB10
                                                                                                                                                                                                                                        SHA1:21F4C7C35D6A9DFB8E70741BE6DB77598BC5F4B6
                                                                                                                                                                                                                                        SHA-256:8EA0B0F337DBF2B0876A43A96B637D0C5BEDB44794F97497DFC58F4FDEDB7F16
                                                                                                                                                                                                                                        SHA-512:A3133184C721063735ED4A92473DB08599C2C3FE2810CC13D43DDA1DFC599B511180C427FF97ABF00DAD67AC53A7A094C3C101393790A5C2C2939B4D2B3B2A66
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(...tZ.S.R..(................]..|Q.......V.......................V.. ............R.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                        Entropy (8bit):3.026304821687121
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKxzLLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:JzLLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                        MD5:9A7B0F3956B4C45251392D0D158A77F4
                                                                                                                                                                                                                                        SHA1:3F85BDDA46341473CDA23797FA786249CF50EE7D
                                                                                                                                                                                                                                        SHA-256:925F7936E95CCEB641F477C71835EA66ED6E3924860BED2CF1034A26EABB73E9
                                                                                                                                                                                                                                        SHA-512:5872B6EC693F39088672CB3658C402B05C56F6DF6652F84589DAA9F18A488550FFECE11EA8755D68106123D2C3DA11203068B707305B93031CC756879749F9E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....l...6..T"R..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1983
                                                                                                                                                                                                                                        Entropy (8bit):5.345248756179348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                                                                                                                                        MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                                                                                                                                        SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                                                                                                                                        SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                                                                                                                                        SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3043
                                                                                                                                                                                                                                        Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                        MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                        SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                        SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                        SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1933
                                                                                                                                                                                                                                        Entropy (8bit):5.381647656863045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHeHK/:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4f+m
                                                                                                                                                                                                                                        MD5:52CDAA83C48EDB391B9D77AE080A7F05
                                                                                                                                                                                                                                        SHA1:BC3E421F10517820F55349F0C636CE6F5AC43D25
                                                                                                                                                                                                                                        SHA-256:CC4BC1EB52CD4548732E5120182DE3E3B7F5D9191BAF7B0D40DF17D30D0C0D5C
                                                                                                                                                                                                                                        SHA-512:FDFA5A33A156B89D4772A5A503ECD01B5780CD88B2286FDD0DFA47477A7EF58C5F5720CA591A7F27014AB5ED7A6CE3CDA0E71CD329332498F207AC4439626813
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1075
                                                                                                                                                                                                                                        Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                        MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                        SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                        SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                        SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                        C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):227602
                                                                                                                                                                                                                                        Entropy (8bit):3.769393063690416
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:1QMberbKRBNxfaa5LqxnUrgwdaTWdm1qOpCEnJRpjxqezo88KmiTddZNuJjIUyMC:sqjjWmDY6ajwzaBlxCCEw4WB
                                                                                                                                                                                                                                        MD5:27D88323D8892427C93F50873CB182B2
                                                                                                                                                                                                                                        SHA1:9D937A84AEDDC4CA6E0C41FA00FD1474C1C2E7BA
                                                                                                                                                                                                                                        SHA-256:E975D4131DE55034CD35F198F4DC84AD61047F1A316D3984172A99FBAD6D53CB
                                                                                                                                                                                                                                        SHA-512:876027F96D1616097BBAE3A3E8D9A12D0495F32A8CCB64C8909A593FAF45C5E913B44ACAA8D644E80194B593E38DD489578FB0F2EBDB3817604BA3BAC3AC41E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.9.:.0.0.:.2.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.8.:.B.4.). .[.0.9.:.0.0.:.2.4.:.1.0.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.8.:.B.4.). .[.0.9.:.0.0.:.2.4.:.1.0.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.3.8.:.B.4.). .[.0.9.:.0.0.:.2.4.:.1.0.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.3.8.:.B.4.). .[.0.9.:.0.0.:.

                                                                                                                                                                                                                                        C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):50118766
                                                                                                                                                                                                                                        Entropy (8bit):7.957485378824845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:6x6nOlttpvhus+cERcrYSjOAYU41gWJDJn051AOnsC/C6VMIMuIs3zMD88q0CNG2:xnOdpvYs+cvrrjOAYfDJnEAOns5w5k89
                                                                                                                                                                                                                                        MD5:6D377F835961782ADE36D346A13BC2FA
                                                                                                                                                                                                                                        SHA1:836E1C84181C23D1954EDF43270233AF4E3B9B88
                                                                                                                                                                                                                                        SHA-256:C23006BE0ED95C7394D628D8F39DA8A8C2E1B0E7E1837281892997D263321E8B
                                                                                                                                                                                                                                        SHA-512:FBB9BC14C5E6A7B7C4696BBD9C062EB80193FF0BBFC93183B3BB9245BCF014BD0FF6D76706616BBF4A90F710FD0E87BC67C5A8BE3EDE656075D3BDA232DA9726
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L.....Gg............................./............@.................................Rwd.............................................. ..(............0d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF01BD76F0A239A58F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF03D1C7D22E7DCE0D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1B45AEA15F5573E8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.16367266857884172
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9nnaPudhg:hybIciuBuna0hg
                                                                                                                                                                                                                                        MD5:9E2F558049E0F016D98F93C62D3F30DF
                                                                                                                                                                                                                                        SHA1:E383A3BA8CFA696B55A1F386F3FCAD0311E34F48
                                                                                                                                                                                                                                        SHA-256:5B300AD570DC1C8C81C0E535488EC7541EA97FE22A171563D3EFFA96FAEB9BE8
                                                                                                                                                                                                                                        SHA-512:A5F750031AAD0100426F788E93CEF5F5DFCE7F6A40047B87D5F484D75BA86BE2F983896BC787F546FC53D22E2329770230C34F81CCCFD140ABF21252F1220E80
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1B45AEA15F5573E8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1C6968C26E4CFC81.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                        MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                        SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                        SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                        SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF27E1E81C382BEDC7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.06913925724117206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOEBVbhGyVky6l3X:2F0i8n0itFzDHFQbhE3X
                                                                                                                                                                                                                                        MD5:5998AD930A74991A0B833863019557C1
                                                                                                                                                                                                                                        SHA1:0AE978694ADBE8ECCFE0E728607CE170A46373AA
                                                                                                                                                                                                                                        SHA-256:5B34DC1386D0AB34E039E7F0DF9E5F7F301AF0A8A98C430453860EC2F8B1A540
                                                                                                                                                                                                                                        SHA-512:D7A4128B822205D3D7CEC3809595257A5080426E82EDA9A20B3BD550ADCDA9D95A588CD6D1A210397B6ABCE123F210D89B6C048F9D0FD6EA5F1BD9B5521BEDE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3378F3AB83994214.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.000755068488791
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:zMMXukPveFXJ5T5pnUDWaqISoedvPdvbCnuhnq9nnaPdStedvPdvxubS:9XUhTnnUD+IciuBunaF4
                                                                                                                                                                                                                                        MD5:44D46DD5B7CB313C8F3EABA433521C19
                                                                                                                                                                                                                                        SHA1:2CBF6EBE26A5906D0EF75E6C8A2B6824EB3FAF5D
                                                                                                                                                                                                                                        SHA-256:559489A4C2E6736BFAC1709645E4C12278BE909BBF7320E9DABB2E4C5BA141EA
                                                                                                                                                                                                                                        SHA-512:9EDA32B85C2EC27DEBA2D00B9375540D04CB8E73DA971700D465BB58A04F248D56930457F15EDED51160E1F506E7F7B15BCBD8E683C211D2564A37A17C4307A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3378F3AB83994214.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF443585D1A7D62C60.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF49E81643EC481818.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2309709779484055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:OVUuKPveFXJ5T5FUDeqISoedGPdGTBaStedGPdGTn:iUGhTjUD7I5D
                                                                                                                                                                                                                                        MD5:D32C48BD72DA5D2B258327A6041A8A7B
                                                                                                                                                                                                                                        SHA1:6904F346746F7160D446B05960692501143CB5D2
                                                                                                                                                                                                                                        SHA-256:51358A62AF8AF3AD9EDB44586776F462DCF095CA3305F00DFF0CEF1F2EE02357
                                                                                                                                                                                                                                        SHA-512:DA946BC5FEAF09BF212C676F1B2CDE2D165E85516A42D9A913A4D4D496F42C65959FEA3194A93FBABD8F172F187C1FC420A18D8424E8F6A61466575F29968CA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF49E81643EC481818.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5001270B5BDAF215.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5671BA8A99206CCA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5B5EFCE9D8C8281B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6B4C5B1B699C0127.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6E8F4B29505839D7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2214623322250886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:I8PhcuRc06WXJEFT5RUDeqISoedGPdGTBaStedGPdGTn:Xhc1HFTPUD7I5D
                                                                                                                                                                                                                                        MD5:616DC6CB7E4DA639C6109977D8EBA794
                                                                                                                                                                                                                                        SHA1:57D4A92003CED5F1DAAF4F63C8356CD0BD48C71E
                                                                                                                                                                                                                                        SHA-256:5F3FB94AEF0A6451048610C237FCF7420FFB4122F8CE54568C226A3AC012F2B9
                                                                                                                                                                                                                                        SHA-512:6A87698AA07DA287CAA185B0228476814C490BAAAC1EBC6679A8DF4A88700DA0B06BFE1002D2A135C3E31DFB56B88E2C50C840FEEA0C78A1E08753903983CDB3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6E8F4B29505839D7.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7CBFDA3BF520CF70.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6209079653731067
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:b8PhPuRc06WXJEFT5BUDWaqISoedvPdvbCnuhnq9nnaPdStedvPdvxubS:ChP1HFT/UD+IciuBunaF4
                                                                                                                                                                                                                                        MD5:C2B46DE621466C6178C4E749A4EDF577
                                                                                                                                                                                                                                        SHA1:085F34736AA565AE50B1059B5A75F4593827161E
                                                                                                                                                                                                                                        SHA-256:428C468548E466D64D3203C9FB9C670E87E4F3AF0A3461E76405801C7802202D
                                                                                                                                                                                                                                        SHA-512:695686B50524F17994BBE68E6BF22374EBC90B1FBEC45C30D40EAFEB9CC9268A7D10312AAB190B50A66A206DFB67EEB657C61B991E78F456468B9DA9C60C55EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7CBFDA3BF520CF70.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7EFDB4EF32959954.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.000755068488791
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:zMMXukPveFXJ5T5pnUDWaqISoedvPdvbCnuhnq9nnaPdStedvPdvxubS:9XUhTnnUD+IciuBunaF4
                                                                                                                                                                                                                                        MD5:44D46DD5B7CB313C8F3EABA433521C19
                                                                                                                                                                                                                                        SHA1:2CBF6EBE26A5906D0EF75E6C8A2B6824EB3FAF5D
                                                                                                                                                                                                                                        SHA-256:559489A4C2E6736BFAC1709645E4C12278BE909BBF7320E9DABB2E4C5BA141EA
                                                                                                                                                                                                                                        SHA-512:9EDA32B85C2EC27DEBA2D00B9375540D04CB8E73DA971700D465BB58A04F248D56930457F15EDED51160E1F506E7F7B15BCBD8E683C211D2564A37A17C4307A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7EFDB4EF32959954.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8529FC9B6D313511.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.13052834664164256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGyTWTZkJ+BYM+nl:CnAStedGPdGeqISoedGPdGTBYwg
                                                                                                                                                                                                                                        MD5:E790C1433763FA648E02963FF11F9E4D
                                                                                                                                                                                                                                        SHA1:A55C0B740DBD542B94562522BBEF820AB6F4C801
                                                                                                                                                                                                                                        SHA-256:E4D2B8E6CFF2FFBABD9B4A37A08A23BE4ECF00F8F0B09CE1ECA787808C0A363D
                                                                                                                                                                                                                                        SHA-512:FB062215C250744774A57EF6E6D84EB16E8770CAC7F6F7F183FF2333BAA8D48A52DE5C31C7A763F7469B9D98561B9E2A8C36BD3A455C19A9A1B2B9B17F7C4981
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8529FC9B6D313511.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF87C6B92714B7BD81.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8E94A119B81CADD1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF908E6BBA5FDEBAB2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2214623322250886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:I8PhcuRc06WXJEFT5RUDeqISoedGPdGTBaStedGPdGTn:Xhc1HFTPUD7I5D
                                                                                                                                                                                                                                        MD5:616DC6CB7E4DA639C6109977D8EBA794
                                                                                                                                                                                                                                        SHA1:57D4A92003CED5F1DAAF4F63C8356CD0BD48C71E
                                                                                                                                                                                                                                        SHA-256:5F3FB94AEF0A6451048610C237FCF7420FFB4122F8CE54568C226A3AC012F2B9
                                                                                                                                                                                                                                        SHA-512:6A87698AA07DA287CAA185B0228476814C490BAAAC1EBC6679A8DF4A88700DA0B06BFE1002D2A135C3E31DFB56B88E2C50C840FEEA0C78A1E08753903983CDB3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF908E6BBA5FDEBAB2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF908E6BBA5FDEBAB2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9D746214972F8E5A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA0A444E51010A4F8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA1976F16BBE3B171.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA976D54726B7716B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFAD3EF6C8B7EA5615.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.000755068488791
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:zMMXukPveFXJ5T5pnUDWaqISoedvPdvbCnuhnq9nnaPdStedvPdvxubS:9XUhTnnUD+IciuBunaF4
                                                                                                                                                                                                                                        MD5:44D46DD5B7CB313C8F3EABA433521C19
                                                                                                                                                                                                                                        SHA1:2CBF6EBE26A5906D0EF75E6C8A2B6824EB3FAF5D
                                                                                                                                                                                                                                        SHA-256:559489A4C2E6736BFAC1709645E4C12278BE909BBF7320E9DABB2E4C5BA141EA
                                                                                                                                                                                                                                        SHA-512:9EDA32B85C2EC27DEBA2D00B9375540D04CB8E73DA971700D465BB58A04F248D56930457F15EDED51160E1F506E7F7B15BCBD8E683C211D2564A37A17C4307A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAD3EF6C8B7EA5615.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBE80B6E0A5A4ABDB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC80D2F2967D7A4F8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6209079653731067
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:b8PhPuRc06WXJEFT5BUDWaqISoedvPdvbCnuhnq9nnaPdStedvPdvxubS:ChP1HFT/UD+IciuBunaF4
                                                                                                                                                                                                                                        MD5:C2B46DE621466C6178C4E749A4EDF577
                                                                                                                                                                                                                                        SHA1:085F34736AA565AE50B1059B5A75F4593827161E
                                                                                                                                                                                                                                        SHA-256:428C468548E466D64D3203C9FB9C670E87E4F3AF0A3461E76405801C7802202D
                                                                                                                                                                                                                                        SHA-512:695686B50524F17994BBE68E6BF22374EBC90B1FBEC45C30D40EAFEB9CC9268A7D10312AAB190B50A66A206DFB67EEB657C61B991E78F456468B9DA9C60C55EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC80D2F2967D7A4F8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC80D2F2967D7A4F8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD2715D2EDAE221FB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2489738549956582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rJgLuk+PveFXJxT5yOdLqISoedGPdGfqbrXKeoStedGPdGRubxn:rCLFJTJGIO7o1
                                                                                                                                                                                                                                        MD5:5EB2145FE5220DF076F1C7B702086547
                                                                                                                                                                                                                                        SHA1:7AF9F833826D37B4C87F9D86C569AC2D8DF2F639
                                                                                                                                                                                                                                        SHA-256:F7B836ECED04A6C84B80C7BE6C018011E9D35D2C49923B6773B50266978AE7F9
                                                                                                                                                                                                                                        SHA-512:E3BDC8AC24652F80ED88A774B6CD391A515221638FFA4D50FB618FE455AF8A0595C880ADF538AE9A1958F5F609C305CCF869C4DCFB52B27E0850BD696A05074D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD2715D2EDAE221FB.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD278ACC22C26CDF3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2309709779484055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:OVUuKPveFXJ5T5FUDeqISoedGPdGTBaStedGPdGTn:iUGhTjUD7I5D
                                                                                                                                                                                                                                        MD5:D32C48BD72DA5D2B258327A6041A8A7B
                                                                                                                                                                                                                                        SHA1:6904F346746F7160D446B05960692501143CB5D2
                                                                                                                                                                                                                                        SHA-256:51358A62AF8AF3AD9EDB44586776F462DCF095CA3305F00DFF0CEF1F2EE02357
                                                                                                                                                                                                                                        SHA-512:DA946BC5FEAF09BF212C676F1B2CDE2D165E85516A42D9A913A4D4D496F42C65959FEA3194A93FBABD8F172F187C1FC420A18D8424E8F6A61466575F29968CA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD278ACC22C26CDF3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDC1661FA1C2D6BB2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14107295831578587
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:CnhubmStedGPdGeqISoedGPdGfqbrXKepuR:iIyLIOY
                                                                                                                                                                                                                                        MD5:5F88DC7745D7F417E1AAA923BDB149F5
                                                                                                                                                                                                                                        SHA1:EBC9A8DF4EA90E39FB50E5A4EB8BA28203914DB1
                                                                                                                                                                                                                                        SHA-256:06A578C3AC70001FF8130B540D75433E910FC68260F267414443C90CED06A772
                                                                                                                                                                                                                                        SHA-512:F7DB7697B542B74D2379CA0675ED17541CAC2DFED5ED70718D48478B4799ADD5C324E27A74AA7F53C6CAD21D31C89082D451C09D56442712DCABDECBD25D539A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDC1661FA1C2D6BB2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE71DF77CFF880D03.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2489738549956582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rJgLuk+PveFXJxT5yOdLqISoedGPdGfqbrXKeoStedGPdGRubxn:rCLFJTJGIO7o1
                                                                                                                                                                                                                                        MD5:5EB2145FE5220DF076F1C7B702086547
                                                                                                                                                                                                                                        SHA1:7AF9F833826D37B4C87F9D86C569AC2D8DF2F639
                                                                                                                                                                                                                                        SHA-256:F7B836ECED04A6C84B80C7BE6C018011E9D35D2C49923B6773B50266978AE7F9
                                                                                                                                                                                                                                        SHA-512:E3BDC8AC24652F80ED88A774B6CD391A515221638FFA4D50FB618FE455AF8A0595C880ADF538AE9A1958F5F609C305CCF869C4DCFB52B27E0850BD696A05074D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE71DF77CFF880D03.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEDAD2D6CCD27AEC5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5598895581479888
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rm8PhTuRc06WXJ8FT5yOdLqISoedGPdGfqbrXKeoStedGPdGRubxn:r5hT1fFTJGIO7o1
                                                                                                                                                                                                                                        MD5:4A3EEFD69F982F2A177CA2822F7BF8A8
                                                                                                                                                                                                                                        SHA1:7266DD2FA927E2E2AD2A313327F0B5DD79D3DF11
                                                                                                                                                                                                                                        SHA-256:EF1F70EA77A23F82DF661E8FCF06F5DC8BBAA041D1EB4403A04EC62F3F7B7468
                                                                                                                                                                                                                                        SHA-512:D7E1B6011237207D844828D8032645C92657B7ABDC695E2F2A51E6B6F499C8246A64AF2EE31403266617A2B99662D878CA9267810BB554FCB7CE4E0146B5A2A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEDAD2D6CCD27AEC5.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEDAD2D6CCD27AEC5.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF1BF0C1883F92515.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2489738549956582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rJgLuk+PveFXJxT5yOdLqISoedGPdGfqbrXKeoStedGPdGRubxn:rCLFJTJGIO7o1
                                                                                                                                                                                                                                        MD5:5EB2145FE5220DF076F1C7B702086547
                                                                                                                                                                                                                                        SHA1:7AF9F833826D37B4C87F9D86C569AC2D8DF2F639
                                                                                                                                                                                                                                        SHA-256:F7B836ECED04A6C84B80C7BE6C018011E9D35D2C49923B6773B50266978AE7F9
                                                                                                                                                                                                                                        SHA-512:E3BDC8AC24652F80ED88A774B6CD391A515221638FFA4D50FB618FE455AF8A0595C880ADF538AE9A1958F5F609C305CCF869C4DCFB52B27E0850BD696A05074D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF1BF0C1883F92515.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF1BF0C1883F92515.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF4369381B03DE630.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5598895581479888
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:rm8PhTuRc06WXJ8FT5yOdLqISoedGPdGfqbrXKeoStedGPdGRubxn:r5hT1fFTJGIO7o1
                                                                                                                                                                                                                                        MD5:4A3EEFD69F982F2A177CA2822F7BF8A8
                                                                                                                                                                                                                                        SHA1:7266DD2FA927E2E2AD2A313327F0B5DD79D3DF11
                                                                                                                                                                                                                                        SHA-256:EF1F70EA77A23F82DF661E8FCF06F5DC8BBAA041D1EB4403A04EC62F3F7B7468
                                                                                                                                                                                                                                        SHA-512:D7E1B6011237207D844828D8032645C92657B7ABDC695E2F2A51E6B6F499C8246A64AF2EE31403266617A2B99662D878CA9267810BB554FCB7CE4E0146B5A2A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF4369381B03DE630.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF5EC5076BB7AF27D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFA8F097E17EA90D2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2309709779484055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:OVUuKPveFXJ5T5FUDeqISoedGPdGTBaStedGPdGTn:iUGhTjUD7I5D
                                                                                                                                                                                                                                        MD5:D32C48BD72DA5D2B258327A6041A8A7B
                                                                                                                                                                                                                                        SHA1:6904F346746F7160D446B05960692501143CB5D2
                                                                                                                                                                                                                                        SHA-256:51358A62AF8AF3AD9EDB44586776F462DCF095CA3305F00DFF0CEF1F2EE02357
                                                                                                                                                                                                                                        SHA-512:DA946BC5FEAF09BF212C676F1B2CDE2D165E85516A42D9A913A4D4D496F42C65959FEA3194A93FBABD8F172F187C1FC420A18D8424E8F6A61466575F29968CA5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFA8F097E17EA90D2.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.051708811439406
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:6gueg4VgiQ/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:mMVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:6FB74BD8B572D5BED6FF47B245EB7D11
                                                                                                                                                                                                                                        SHA1:74916ED5C2AE9935BE2300ED2253CFC4042826BA
                                                                                                                                                                                                                                        SHA-256:2E8FEB9E8656516008E716CF2B26D164549143557FCCC82D85C76F95CD1B0F54
                                                                                                                                                                                                                                        SHA-512:7BC511D8D0B8EF35D881F035BCF4C32D8D07B4AD12C276AC218DBBE6A2124F4D9512F49BBA8AE8F56C7AA3DC39601EED0A5D4F559271BFEBC05BE57B43372B75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-19 09:00:54.1361|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-19 09:02:05.0157|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-19 09:03:56.9115|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-19 09:05:27.4637|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Entropy (8bit):7.8786630833471385
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                        File name:setup.msi
                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                        MD5:69a1ca360930e2d7e7e11fe55cdd5120
                                                                                                                                                                                                                                        SHA1:04f37a7b9c2033e529074f4ffd4883e00746cdcb
                                                                                                                                                                                                                                        SHA256:da82405461ea618b47cb324573fcf7c778ca56ad34ada7529b520f0ab51c3a5d
                                                                                                                                                                                                                                        SHA512:74c1ee8ee9e80f660de6d36c0ffbefa89d1142a0b8d2d1b70dd280900752b824a996aa0875509c8eaacd9b1c4f85c427f7dbaa8fcfd3adf1c5e7022ad99f1821
                                                                                                                                                                                                                                        SSDEEP:49152:2+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:2+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        TLSH:D9D523117584483AE3BB0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:08:58:59
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                                                                                                                                                                                                        Imagebase:0x7ff7afae0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                        Start time:08:58:59
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                        Imagebase:0x7ff7afae0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:08:59:00
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 66C0EE8C29E52882C8A385FD1BF92EE2
                                                                                                                                                                                                                                        Imagebase:0xa80000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:08:59:00
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI2AF7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5188468 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x460000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.2069270840.0000000004C7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:08:59:01
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI2E63.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5189453 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0x460000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.2084120126.00000000043A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2143711735.0000000004714000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2143711735.0000000004671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:08:59:08
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI499D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5196218 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                        Imagebase:0x460000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.2146162541.0000000004FD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:08:59:08
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 00FD17B3AC21B0F46E73B19CA8417F19 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0xa80000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:08:59:08
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0xc0000
                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:08:59:08
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:08:59:08
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0x620000
                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:08:59:08
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                        Imagebase:0xa70000
                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:08:59:09
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:08:59:09
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="administrativo@viacolor.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OagB2IAJ" /AgentId="b4e82e32-b266-4530-919e-fe1de1f98e09"
                                                                                                                                                                                                                                        Imagebase:0x11d78e10000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2223315915.00007FF8486A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220738659.0000011D792D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D000B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2221446131.0000011D7B41A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220104196.0000011D78F81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.2163968967.0000011D78E12000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2222042672.0000011D7B620000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2222257977.0000011D7B65B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220045144.0000011D78F66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D00166000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D00132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D000BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220132555.0000011D78FF4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220132555.0000011D78FC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220132555.0000011D78FAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D000B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220045144.0000011D78F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D000C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D0008C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2222542212.0000011D7B6B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2220132555.0000011D78FA2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D0017C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D00089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2217324832.0000011D00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:08:59:14
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x1ed64ec0000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2799159238.000001ED7E9E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2782680199.000001ED7E485000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2738724708.000001ED64FDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2786251451.000001ED7E548000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2778761610.000001ED7DF60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2782680199.000001ED7E4C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED658A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65C87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2782680199.000001ED7E476000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2793915331.000001ED7E950000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65F78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED660AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2738724708.000001ED64FD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65F2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65C46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65E3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65B4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2782680199.000001ED7E50A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2738724708.000001ED65056000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2782680199.000001ED7E460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2787923096.000001ED7E587000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2778761610.000001ED7DFA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2738724708.000001ED65090000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65B38000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2787923096.000001ED7E59F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65CE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65B9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65B4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65AEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65C9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED659E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65D33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2740847986.000001ED65290000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2738724708.000001ED6500C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED65C84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2735741380.00000030BFD15000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2738597745.000001ED64F70000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2782680199.000001ED7E4F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2742132423.000001ED6592B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                        Start time:08:59:15
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff734f60000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:08:59:15
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                        Start time:08:59:16
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI68F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5204234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                        Imagebase:0x460000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000003.2226546955.00000000047FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2281215708.0000000004941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2281215708.00000000049E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                                        Start time:08:59:31
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4580f161-348f-4660-82a1-d0c91a55c7f5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x23d017b0000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2426958772.0000023D1A990000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2422868525.0000023D01AAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2424253508.0000023D0230E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2422868525.0000023D01A60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2424253508.0000023D022A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2422868525.0000023D01A20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2424253508.0000023D02293000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2422512608.0000023D01940000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000000.2384228786.0000023D017B2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2423867948.0000023D01C22000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2422868525.0000023D01A6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2424253508.0000023D02267000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2424253508.0000023D02221000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:08:59:32
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "1c62d242-ef11-4dd1-b25a-a7573ec8f5a2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x1d3c8250000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2422562984.000001D3C83F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2424207379.000001D3C8CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2424207379.000001D3C8C53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2422768883.000001D3C848C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2422768883.000001D3C8458000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2422768883.000001D3C84D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2422768883.000001D3C8498000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2422768883.000001D3C846B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2424207379.000001D3C8C43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2424207379.000001D3C8BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2426872557.000001D3E13F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2422768883.000001D3C8450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:08:59:32
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:08:59:32
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:08:59:36
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "2758ee41-7b77-4f67-9854-7a385a909e8f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x1e4804b0000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2441669794.000001E48077D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2442725300.000001E480E13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2441669794.000001E4806A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2441669794.000001E4806A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2442725300.000001E480DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2441669794.000001E4806DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2442725300.000001E480E23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2441669794.000001E480724000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2441669794.000001E4806C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2441669794.000001E48078B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2442590790.000001E480800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:08:59:36
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:08:59:37
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x25c4f660000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C50869000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C5083F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3194308228.0000025C68955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3011380999.0000025C4F92C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3010693802.0000025C4F8B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C500E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C50813000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C503CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C5029A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C50379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3011380999.0000025C4F936000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C50362000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3011380999.0000025C4F9AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C508C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3214114628.0000025C68C81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3009940206.0000025C4F710000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C506F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3011380999.0000025C4F975000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3011380999.0000025C4F8F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C50081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3205466110.0000025C68BF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C50998000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C505E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C503C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C50893000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C501B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C504E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3205466110.0000025C68C57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3205466110.0000025C68C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3214114628.0000025C68CBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C508E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3205466110.0000025C68BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3011380999.0000025C4F8F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3194308228.0000025C688FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3000981418.000000B6B02F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.3017985769.0000025C506C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:08:59:37
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff734f60000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:08:59:37
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:08:59:39
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4009408c-31a1-41c0-ab9d-adb0280bc8eb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x1738b660000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670488354.000001738BA40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2668823708.000001738B889000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738C172000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2668823708.000001738B840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2668823708.000001738B8C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2684472829.00000173A4936000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2688573647.00000173A4B04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738C0D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738BF31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738C1A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2682711881.00000173A4860000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2686072407.00000173A49F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738BFC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738C19D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738C16F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2670904459.000001738C22F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:08:59:39
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:08:59:40
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff7c06d0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2545794268.0000021C8298B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2545933131.0000021C82B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2545794268.0000021C829A3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2545794268.0000021C82980000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000003.2468669682.0000021C82B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:08:59:40
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:08:59:40
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff756940000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000020.00000002.2544602998.00000259B9B40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:08:59:41
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                        Imagebase:0x7ff632ac0000
                                                                                                                                                                                                                                        File size:4'630'384 bytes
                                                                                                                                                                                                                                        MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:08:59:43
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "c07293d4-38c6-44aa-9d75-395d697314bb" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x290e4d30000
                                                                                                                                                                                                                                        File size:72'744 bytes
                                                                                                                                                                                                                                        MD5 hash:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3334836320.00000290E5130000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3336972786.00000290E57EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3326895328.00000290E4F8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3336972786.00000290E5771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3336972786.00000290E5873000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3326895328.00000290E4F41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3326895328.00000290E4F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3322902397.0000009D490F1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000000.2496719341.00000290E4D32000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3336972786.00000290E5881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3326895328.00000290E4F0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3326895328.00000290E4F43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.3388917607.00000290FDEF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:08:59:43
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:08:59:48
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                        Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:08:59:51
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x1c16a980000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2638183439.000001C16BC10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2638183439.000001C16BBA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635542993.000001C16AC4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635542993.000001C16AD25000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635542993.000001C16AD2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2641332424.000001C16CB85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2641509915.000001C16CB96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635124376.000001C16AA70000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635212357.000001C16AB80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2629623199.000001C1005B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2641297132.000001C16C987000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635542993.000001C16AC81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2654681165.00007FF89F789000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2636637117.000001C16AD62000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635542993.000001C16ACCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635542993.000001C16AC88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2635542993.000001C16AC40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2629623199.000001C100001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000000.2579531763.000001C16A982000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2629623199.000001C1000EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:08:59:51
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                        Start time:09:00:03
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "e4eb36e3-36f9-405c-94f5-331e41aaf8f7" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x22f89e50000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2738412795.0000022F89F8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2738412795.0000022F89F50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2762473711.0000022FA3000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2738372378.0000022F89F40000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2738412795.0000022F89FD4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2741780844.0000022F8A881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2766419497.0000022FA40B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2738412795.0000022F89F59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2738412795.0000022F89F8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2767656575.0000022FA42EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2741780844.0000022F8A890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2740518045.0000022F8A2A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2741780844.0000022F8A96D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2738412795.0000022F89F6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2762473711.0000022FA3098000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2816417808.00007FF89F759000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2741780844.0000022F8AE2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                                        Start time:09:00:03
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:09:00:10
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "a8eb19e9-c148-4266-8b8e-3a21f8c15832" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x22ee6ae0000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2937756946.0000022EE6CB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2937756946.0000022EE6C78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2935397618.0000022E80278000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2937756946.0000022EE6C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2937756946.0000022EE6C4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2945471974.0000022EE761F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2945471974.0000022EE74A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2937756946.0000022EE6C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2919184631.0000022E800B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2945471974.0000022EE76D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2945471974.0000022EE761C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2920253461.0000022E800BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2927057579.0000022E80183000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2945471974.0000022EE75D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2945064993.0000022EE6FC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:09:00:10
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:09:00:10
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff7c06d0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2846722151.00000286864BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2846722151.00000286864D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2846722151.00000286864B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2846926984.00000286865B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000003.2774599402.00000286865D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:09:00:10
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:09:00:11
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff756940000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2843937085.00000158CA5E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:09:00:14
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "4a0a2bf5-84d2-4b40-b65b-4c5b7ee9dcbb" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x1fa6bdc0000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3128697704.000001FA00116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000000.2806016103.000001FA6BDC2000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3124558278.000000B4598F3000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3194187076.000001FA6BFCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3194187076.000001FA6BFC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3128697704.000001FA0025F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3204012277.000001FA6C1A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3128697704.000001FA00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3194187076.000001FA6C002000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3194187076.000001FA6C0AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3205395901.000001FA6C2A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3194187076.000001FA6C04E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3128697704.000001FA00170000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3210402656.000001FA6D122000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3210402656.000001FA6D090000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.3128697704.000001FA00270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:09:00:14
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:09:00:16
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                        Imagebase:0x198800c0000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2837394106.0000019880229000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2837394106.0000019880150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2842765284.0000019880AA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2837394106.000001988018E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2842765284.0000019880A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2837394106.000001988016F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2837394106.00000198801D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2842303493.0000019880470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2837394106.0000019880158000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:09:00:17
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                        Start time:09:00:19
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "3f27abf0-2233-41cd-bb48-f7a92ebeb7f1" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x28b618b0000
                                                                                                                                                                                                                                        File size:33'320 bytes
                                                                                                                                                                                                                                        MD5 hash:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3327648384.0000028B61ACC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3327648384.0000028B61AC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3542552220.0000028B7AA50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3327648384.0000028B61B4D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3337876001.0000028B61D42000.00000002.00000001.01000000.00000044.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3339186998.0000028B6246F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000000.2855771996.0000028B618B2000.00000002.00000001.01000000.0000002A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3339186998.0000028B62162000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3338866084.0000028B61D60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3339186998.0000028B62101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3336533396.0000028B61C42000.00000002.00000001.01000000.00000043.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3327648384.0000028B61B03000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3323242307.000000C3306F1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3339186998.0000028B62424000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3542552220.0000028B7AAA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3327648384.0000028B61B0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3339186998.0000028B62228000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3339186998.0000028B621AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3327648384.0000028B61AE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3339186998.0000028B6217F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:09:00:19
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:09:00:20
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "13d7cb11-12ed-4ac5-b3b7-92f0fb618600" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x20c8d710000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E204000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3219365412.0000020CA7960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E67A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E648000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E63F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3086536008.0000020C8DA60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3076606408.0000020C8D8F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3217746100.0000020CA7677000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3076606408.0000020C8D92D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3076606408.0000020C8D93B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E217000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3282601110.00007FF89F889000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E4E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3219218842.0000020CA789D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3217851993.0000020CA7875000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3076606408.0000020C8D97B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3076248038.0000020C8D800000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E39E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E069000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E407000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3219018709.0000020CA7899000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E674000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E549000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8E20E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3222652432.0000020CA7A6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3088969639.0000020C8DF81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3076606408.0000020C8D8F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.3204434923.0000020CA69D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                        Start time:09:00:20
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                                        Start time:09:00:23
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "61a9538a-ac35-49dd-a2da-8f1d39fe0cc3" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x1ee697d0000
                                                                                                                                                                                                                                        File size:201'256 bytes
                                                                                                                                                                                                                                        MD5 hash:CDE6BA86139AE458ABC24DAD31A66465
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE00194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3070712800.000001EE699DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3019802711.0000000692D3E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE005EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE0019E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3070712800.000001EE69950000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE001B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3070712800.000001EE69992000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3078123955.000001EE69C00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000000.2898979422.000001EE697D2000.00000002.00000001.01000000.0000002B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE000D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE002C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE005FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3070712800.000001EE6995C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE00213000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE0026D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE00247000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3079429699.000001EE6A002000.00000002.00000001.01000000.00000037.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3086239610.000001EE6A940000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.3023444762.000001EE0035B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                                        Start time:09:00:23
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                                        Start time:09:00:24
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                        Imagebase:0x7ff7afae0000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.3112729384.0000029F5E63A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.3114345807.0000029F5DB71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.3114873045.0000029F5E63C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.3053982314.0000029F5E570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.3112789454.0000029F5DB6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.3113224814.0000029F5E63B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.3112646076.0000029F5E67E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.2986269233.0000029F5E63A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000003.3109705875.0000029F5E570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:58
                                                                                                                                                                                                                                        Start time:09:00:25
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 42263619842A193E6FDC049D908E5C9F E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0xa80000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:59
                                                                                                                                                                                                                                        Start time:09:00:25
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI7561.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5273656 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x460000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000003.2924823749.00000000040B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:60
                                                                                                                                                                                                                                        Start time:09:00:25
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" b4e82e32-b266-4530-919e-fe1de1f98e09 "5f5d8b63-61a4-4f01-9824-4c10890159e8" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OagB2IAJ
                                                                                                                                                                                                                                        Imagebase:0x1eca9fd0000
                                                                                                                                                                                                                                        File size:219'696 bytes
                                                                                                                                                                                                                                        MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2978507128.000001ECAA0CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2978507128.000001ECAA14B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2978507128.000001ECAA0C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAA80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2984787952.000001ECAA310000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAC8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAC94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAC92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2978507128.000001ECAA18A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3005489047.000001ECC33B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAC90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAA7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000000.2920241940.000001ECA9FD2000.00000002.00000001.01000000.0000002D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3005489047.000001ECC3385000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2978507128.000001ECAA100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.3005489047.000001ECC3310000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAC96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAAA61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2988773953.000001ECAABCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:61
                                                                                                                                                                                                                                        Start time:09:00:25
                                                                                                                                                                                                                                        Start date:19/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 04E21630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $cq$$cq
                                                                                                                                                                                                                                          • API String ID: 0-2695052418
                                                                                                                                                                                                                                          • Opcode ID: 56dc3dd214bc9572075bd685ba0d4aa71cfc117725aaaf70ceec9eae48d45f58
                                                                                                                                                                                                                                          • Instruction ID: 0a0b8c6217bada21ec52788626f2670121afc9981dbcf65141a609e3d19350f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56dc3dd214bc9572075bd685ba0d4aa71cfc117725aaaf70ceec9eae48d45f58
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D151FF75B002189FDB15DF78D9406AEBBF6FFC9350B14846AD809DB364DA30AE02C791
                                                                                                                                                                                                                                          Function 04E21080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 9c7259ba95aedc6e813362aabaab08d4bf5cfa5f64dbe5f4cea280c3487f3c40
                                                                                                                                                                                                                                          • Instruction ID: 2271700c98e7418fb9b4b8dc100502130be0eb0f78b602f45fe019167edd1aad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c7259ba95aedc6e813362aabaab08d4bf5cfa5f64dbe5f4cea280c3487f3c40
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F71D275B002249BEF05ABB5C914ABEB7E7EFC8304F158029E506AB3A4DE30ED428750
                                                                                                                                                                                                                                          Function 04E20E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 75ab371ca8fbdf9adf9bbc2e440b4c378f23e281ca111c86b65a2227f878348e
                                                                                                                                                                                                                                          • Instruction ID: 84c962b37899559c89befa86b11e3c8fb68cfd7f6e29ee8c949e553c4f318a9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75ab371ca8fbdf9adf9bbc2e440b4c378f23e281ca111c86b65a2227f878348e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8411C31B401246BFB18A7699974B6E77AADFC9314F14943DDA06AB380CE35BD0583D1
                                                                                                                                                                                                                                          Function 04E20C1C Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 8dd9103727ef1e21778e4f43316b8fbc152cb29512ceae98b4ff372026ba7ff2
                                                                                                                                                                                                                                          • Instruction ID: ba9e8c1419bd4c094077d19458812630251a8f3cf565788b353cd27f5d7f1055
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dd9103727ef1e21778e4f43316b8fbc152cb29512ceae98b4ff372026ba7ff2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A510630B04214AFEB08EBA9D9647AE7BB2EFC9318F144469D506EB381CE396D458791
                                                                                                                                                                                                                                          Function 04E22644 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 52d1a56589e69d828c0073ed5f6a8ac618a1a9f7a21591f87aab0e2e91d7f3ea
                                                                                                                                                                                                                                          • Instruction ID: 418ad1b9e24ec28c13cb1f3e70cad3ead71feef19091a8ba3e50ebb7ea2256ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52d1a56589e69d828c0073ed5f6a8ac618a1a9f7a21591f87aab0e2e91d7f3ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4318821B083641BFB296B76592437E3BAB9FC625CF0484FAD741DB782DD68AC054391
                                                                                                                                                                                                                                          Function 04E22764 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c444bd4d70b8bc05cd6b7a42daef3b07aeac3886d361d40e193d95068ac6915
                                                                                                                                                                                                                                          • Instruction ID: d8de30e38152057040b9647f72dcb801c34e2bb3ce08731943f890abdb345950
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c444bd4d70b8bc05cd6b7a42daef3b07aeac3886d361d40e193d95068ac6915
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22E0E5B0C04209DFC760EF79560129A7FF1BB5920875092EAC589D2B10F632A5038B92
                                                                                                                                                                                                                                          Function 04E223B8 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b8c226cc40506f5e591e104ab58b033aa260a607b52c5302e0096d795dac646b
                                                                                                                                                                                                                                          • Instruction ID: 2b954734da6cc35c2b61432e98ab73ab1f05ffc01b639e26dd46d97de88e0638
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8c226cc40506f5e591e104ab58b033aa260a607b52c5302e0096d795dac646b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25514431B05626CFCB10CF68D954A6ABBB5FF49318B1581E6E604CB262EB30EC41C791
                                                                                                                                                                                                                                          Function 04E22268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3722ae344aa3530d246a866d1bd157548633776e8f98fb4ce8d2adedd872378b
                                                                                                                                                                                                                                          • Instruction ID: 7a59c9d12939bfbf4ad6a9ee70fca32e8152699887598ca326fa11c2c542d7fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3722ae344aa3530d246a866d1bd157548633776e8f98fb4ce8d2adedd872378b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2413A36B001159FCB44DF69D98099EBBB2FF89314B1481A9EA05EB360DB31EC41CB90
                                                                                                                                                                                                                                          Function 04E22664 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e7108f2af8b4a201a236c71a3dcc44db3d2e1c916a426f5b07740dedb09cebac
                                                                                                                                                                                                                                          • Instruction ID: 594c2e3b6f177ee65eed28a9ab3937978e1498491658fd340bb3cee8e82b0f9a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7108f2af8b4a201a236c71a3dcc44db3d2e1c916a426f5b07740dedb09cebac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5431F1756093B8AFE701277579253EA7F58CF4335DF0184F7EB448B192ED6858098391
                                                                                                                                                                                                                                          Function 04E21050 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3bf72bb8d08c09e2aa3c44263b5b8e2cb7915846b2e2210baad93e0fb8904666
                                                                                                                                                                                                                                          • Instruction ID: ea99a5149d241173c01ff2bcd5b184f6bea4915fcd492391c97f3d1a35e3b429
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bf72bb8d08c09e2aa3c44263b5b8e2cb7915846b2e2210baad93e0fb8904666
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85214D3270027497DB109B79D960AFEFBA9DFC8248F045066D501DB341E970AE0A8391
                                                                                                                                                                                                                                          Function 04E22258 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9ea316e749c2a6217efb969a62701b263108c312e42ae8345a22ce2611fbea0c
                                                                                                                                                                                                                                          • Instruction ID: 682759b2ae869bf4fe13f65d1d8190ba8ad0cacf0be8abeeb8ef245d674c46c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ea316e749c2a6217efb969a62701b263108c312e42ae8345a22ce2611fbea0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D215E76A101189FCB44DF69D9819DEBBB6FF8C714B108169E905EB320EB31A841CB90
                                                                                                                                                                                                                                          Function 04E22CBB Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a01c2667d88806754199460195559aa39a6acfdba89a79fa6142418a64f73cb4
                                                                                                                                                                                                                                          • Instruction ID: 90513aad4856cacc4130cef6f367a01247446dc7202f1117bc3ebdc98cfc2a61
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a01c2667d88806754199460195559aa39a6acfdba89a79fa6142418a64f73cb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0021A134B00214AFE708EBA5E560A99BBB6EFCC358F145029E419AB381CF797D45CB90
                                                                                                                                                                                                                                          Function 04E22CC8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71a8366746d05bc2e4ab88a2c898d13ed8c3c2017a7a61e4458b2643c09c530f
                                                                                                                                                                                                                                          • Instruction ID: e57fbf80a77d795dd0d7437c14ed71646f1ec5bb57d6d91a724935b5412ead0d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71a8366746d05bc2e4ab88a2c898d13ed8c3c2017a7a61e4458b2643c09c530f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD115130B00114AFEB04EFA5D560AA9BBB6EF8C319F145029E419AB385CF797D45CB90
                                                                                                                                                                                                                                          Function 04E21378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b67935169ef07bfad099387cf57a69b6cbbe59ee58e554e0c3e9d892251b599c
                                                                                                                                                                                                                                          • Instruction ID: 05adaa6458992b3f3f7437e01ed1bb231f5d17a00e61e22013ec937dfc0a6a33
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b67935169ef07bfad099387cf57a69b6cbbe59ee58e554e0c3e9d892251b599c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45211571D002498FDB20DFAAC9856EEFBF4FF48324F108429D51967240D7756A06CFA1
                                                                                                                                                                                                                                          Function 04E21958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f281836e9616ebc173af4ee8572f41ed4ab7f32b991f7eb9449b53da1d07bbd5
                                                                                                                                                                                                                                          • Instruction ID: 31721e5a22265a4a5c2fcf1ba688478af2e1d96bec68f15c77c4529b2662cbee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f281836e9616ebc173af4ee8572f41ed4ab7f32b991f7eb9449b53da1d07bbd5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97114235A00114EFD708EFA5E4796A9BBB6EF8C355F144029E809A7341DF396C46CB90
                                                                                                                                                                                                                                          Function 04E21380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 59f70356e157f5789a23782b5d82af87f58e5c2fda203b73626da21c6aa7fb49
                                                                                                                                                                                                                                          • Instruction ID: cf5336cb2a9b01696af12eb7a402764908b0b207bda4ae09af7abf1472895e47
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59f70356e157f5789a23782b5d82af87f58e5c2fda203b73626da21c6aa7fb49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4611F4B5D042498FDB20DFAAC985AEEFBF4FF48324F10842AD51967240CB756A05CFA1
                                                                                                                                                                                                                                          Function 04E21968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 796250dbc244f908d84462f51c485e7083995a160b9b5266c3d0be018ddce6ae
                                                                                                                                                                                                                                          • Instruction ID: ec15e800ee98c01b47e7ae10c146d8eeb2ca421d59f68aadda0b5d3a02f8a0ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 796250dbc244f908d84462f51c485e7083995a160b9b5266c3d0be018ddce6ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50114275A00214FFDB04EFA5E474AA97BB6EF8C355F144019E41AAB341CF796C45CB90
                                                                                                                                                                                                                                          Function 04E21440 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3804b3c800a23d87d50110356277efe1996ad10a9a7b0e1d189e19c31aa6ac16
                                                                                                                                                                                                                                          • Instruction ID: fa28a63eed248b9b4f9a2518fb630000b82cbe59230e80e413a3f43ffa14ccda
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3804b3c800a23d87d50110356277efe1996ad10a9a7b0e1d189e19c31aa6ac16
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06014770B097155FCB09AFB57A361167FB5EFC225830508AAD50ACF2A3FD189D058391
                                                                                                                                                                                                                                          Function 04A9D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2072820531.0000000004A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A9D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4a9d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f0b036426130fe6147c326abdb1a8956484bc576059b66454948481be695fed
                                                                                                                                                                                                                                          • Instruction ID: ddee1266ef40f3dfc69e89d51a2f6032d9a032efa827ba7f001289766b3d3562
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f0b036426130fe6147c326abdb1a8956484bc576059b66454948481be695fed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2801F771104304AAFB118F29ED84766BFD8DF41374F18C52AED4A0F242D279AD81C6B1
                                                                                                                                                                                                                                          Function 04E22A98 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2eca6f227c28307684dd70f5568f57a8fccbda0760f124e02e648be68ae36fd7
                                                                                                                                                                                                                                          • Instruction ID: 0486d617dea838505eee07021b4d083ba335e0c81d7e0609d15b2484426ea2f4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2eca6f227c28307684dd70f5568f57a8fccbda0760f124e02e648be68ae36fd7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEF0A2B53043306BC7385E1366806373F5B9FC436C70460E5E784C3A41DD147C0082B4
                                                                                                                                                                                                                                          Function 04E21829 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b114f8a24683a309894e8e4eb6323b580ea9be4eaca449b15a2b4e5b45ef833c
                                                                                                                                                                                                                                          • Instruction ID: 210c086f156a0147a81d2e8f73179511d4147a4d11d948f4a1d77a842c2eb086
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b114f8a24683a309894e8e4eb6323b580ea9be4eaca449b15a2b4e5b45ef833c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A401D131B1012987EB5CAB6892A63FF77B79B88308F10402EC202B33C0CE752E0287D1
                                                                                                                                                                                                                                          Function 04A9D006 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2072820531.0000000004A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A9D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_4a9d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 325bd4d3e8c6c07ee9e5d8c9ae8a1d74c91ba431d0950bc97563133f74055cc6
                                                                                                                                                                                                                                          • Instruction ID: 1f184a2fd9d61a5d48fd2a2cdc8d38b34cb87fb47e9ebe12a0b7ab46b57c7768
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 325bd4d3e8c6c07ee9e5d8c9ae8a1d74c91ba431d0950bc97563133f74055cc6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E301926100D3C05FE7128B259D94752BFA4DF53224F18C0DBD9888F193C2699844C772
                                                                                                                                                                                                                                          Function 04E21431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: efffe871650fc2511d27a1e6843d54462899689bac56bb94f1cc162836b48371
                                                                                                                                                                                                                                          • Instruction ID: b2787e3881c7a8c2b8e1f728a9d4d8d08b3fe092f071169670f61a68727010b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efffe871650fc2511d27a1e6843d54462899689bac56bb94f1cc162836b48371
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F021747006125FDB0D9FF565752167BA5EFC226C345086DD109CF293FD1959019381
                                                                                                                                                                                                                                          Function 04E225D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d762a192bc05116aa66815c2bac2159fe8a70f1fa34bd9e52fe125f53234e9ed
                                                                                                                                                                                                                                          • Instruction ID: 46dbfdbaa279d75a06052e0e5781b65fb4bf8fd757105a202cc2eb29c25815ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d762a192bc05116aa66815c2bac2159fe8a70f1fa34bd9e52fe125f53234e9ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F02437B000998BCB098A34E4281ED7B729BC9220F50806EEA03A7780EE30190DCB81
                                                                                                                                                                                                                                          Function 04E225E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5875cd62559a0068dec289e9c46531b2e6015624863c6fed237582ad9899350
                                                                                                                                                                                                                                          • Instruction ID: a29ed1f90436245ca4598c604b70c5be89c00c699f7805263058e668b8e97af1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5875cd62559a0068dec289e9c46531b2e6015624863c6fed237582ad9899350
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DAE0E537F1011547CB099679E4185EDB776DBC9220B108036D902B3340EF302D0DCB91
                                                                                                                                                                                                                                          Function 04E22654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25fe78a51a4570215863497d3345daeefc46d246b8938dfb02eb401664cd922d
                                                                                                                                                                                                                                          • Instruction ID: 73195cf2813a5c195e2c902ce5326684e3bf55630b550e63db48ff3b661f83e6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25fe78a51a4570215863497d3345daeefc46d246b8938dfb02eb401664cd922d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EE0922171433802FB382A6957107B627CE9B4074CF002CB9C6418BA46E8C4FC4013E1
                                                                                                                                                                                                                                          Function 04E22590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bcfa7aa561757f5164eaba0ab8b87241cf7fc13caf1967f1cc609e858d3028cb
                                                                                                                                                                                                                                          • Instruction ID: 2a8e2f426f36c9bea1d8d1676aed29b86de68c673f21871ad2a35e9b33fa3887
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcfa7aa561757f5164eaba0ab8b87241cf7fc13caf1967f1cc609e858d3028cb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19E086B19093114FD70267B5AC165893FB2DFCA6043828896E5419F253EE687C8983D2
                                                                                                                                                                                                                                          Function 04E217F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 27d5af6de4577adb6303a19123eaa95e6da67a2202a7d4752bef393180be7942
                                                                                                                                                                                                                                          • Instruction ID: 56eeb3ace370b25f091181711e4547f3ee6e866f4016e23183dcb8598c04c285
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27d5af6de4577adb6303a19123eaa95e6da67a2202a7d4752bef393180be7942
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3D02B773081C08FC7065B20ED110997F739B5E11030850A7E9C1C76B1DE201514D340
                                                                                                                                                                                                                                          Function 04E20C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 02fdb2e0b618352f695f33b7357ab14e45a21f964932619d1aa61988a33bfd77
                                                                                                                                                                                                                                          • Instruction ID: 98f67d3dd2d31a728c335f38928eabe7f390b54839c7678a01ba129720b0e53e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02fdb2e0b618352f695f33b7357ab14e45a21f964932619d1aa61988a33bfd77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6D0A7333101286BD6046759DC968BABBA9EB853A43504C27FA0183321DD617C109395
                                                                                                                                                                                                                                          Function 04E22A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91b92bd662c19ed7fde665efa06f39de963df5ee262c5d33cafebe003c3423f2
                                                                                                                                                                                                                                          • Instruction ID: 7b0834b7a3f355ac4ee64f77fe4cec5f4bd2d2a73f1a1d26f23a001e649157af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91b92bd662c19ed7fde665efa06f39de963df5ee262c5d33cafebe003c3423f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70E012B0D002099FC750EFB9850155EBBF4BB49204B1085EDC54CD7600FB72A602CB91
                                                                                                                                                                                                                                          Function 04E20440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.2070683069.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 193b1aefd440a30e2b5581a17130f941a5087e4be0f469be78d6df77772294b4
                                                                                                                                                                                                                                          • Instruction ID: 6e6ee864f5d12ef126f2b3cdaddf7551feed80fe75ec28f1edb4daa4796309d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 193b1aefd440a30e2b5581a17130f941a5087e4be0f469be78d6df77772294b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63C012D7625951ABE716024848966F63730EA7120838CC159C44154457A21260138175

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 045B71D0 Relevance: 9.9, Strings: 7, Instructions: 1109COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142073361.00000000045B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045B0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_45b0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Plcq$Plcq$Plcq$Plcq$Plcq$x hq$|k<p
                                                                                                                                                                                                                                          • API String ID: 0-3746291425
                                                                                                                                                                                                                                          • Opcode ID: 6c06c004bd2213f535a306c384181f9823e5653077ce1dd7b38e4b90d67baeb9
                                                                                                                                                                                                                                          • Instruction ID: 21cdf0d24f079c593841331f9759622a241b7404f4fc809c816d5916c14f2a69
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c06c004bd2213f535a306c384181f9823e5653077ce1dd7b38e4b90d67baeb9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD924F757006058FCB15DF69D494AAABBF2FFC8305F158869E4869B3A2DB30EC41DB90
                                                                                                                                                                                                                                          Function 045B0040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142073361.00000000045B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045B0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_45b0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;cq
                                                                                                                                                                                                                                          • API String ID: 0-3782417593
                                                                                                                                                                                                                                          • Opcode ID: a6daff003c65c9a449e07cb6d9779efc7ba1e597883e0cc64fa15bd7a7307e99
                                                                                                                                                                                                                                          • Instruction ID: 83e831189f22ee44cbf21ca9851d92ab66de943a9a06dfe55e0159f0b863b82b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6daff003c65c9a449e07cb6d9779efc7ba1e597883e0cc64fa15bd7a7307e99
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC228C34A1061ACFDB04DF74C84469DB7B1FF89304F1186A9E846BB351EB74E989DB90
                                                                                                                                                                                                                                          Function 044C74C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: eq$$&dq$(_cq$4'cq$4'cq$4'cq$4'cq$4ccq$4ccq$@bcq$|-dq$$cq$$cq$ccq$ccq$eq
                                                                                                                                                                                                                                          • API String ID: 0-98365856
                                                                                                                                                                                                                                          • Opcode ID: bc09a53851b0c1765113d2241aa4d30d5a16369b7fcea03f2dc83d1b61442760
                                                                                                                                                                                                                                          • Instruction ID: 7a7e1a511d6e5fca0dddf5bd0f5e4c2547da96482ade0cc9b56db78e8155aa41
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc09a53851b0c1765113d2241aa4d30d5a16369b7fcea03f2dc83d1b61442760
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC9209B5900228DFDB259F64C844AEEBBB2FF89300F1045E9D509AB291DF359E85DF81
                                                                                                                                                                                                                                          Function 044CB688 Relevance: 6.5, Strings: 5, Instructions: 223COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$\;cq$l;Cp$?Cp$|bq
                                                                                                                                                                                                                                          • API String ID: 0-1251146650
                                                                                                                                                                                                                                          • Opcode ID: af5f70f6a131ff691cb17d14e9ff42767e07faf6e4157ed9ab7dfd5ddc990c1a
                                                                                                                                                                                                                                          • Instruction ID: 15705ffca8fc416460975ec6c059b55a43f7f0b862468a490b376078fd9937d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af5f70f6a131ff691cb17d14e9ff42767e07faf6e4157ed9ab7dfd5ddc990c1a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 296105B8B005564BDF549A6AA85197FB7A7FFD4340B28842FD802D7394EE34FC0297A1
                                                                                                                                                                                                                                          Function 044CB9F8 Relevance: 5.3, Strings: 4, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$(gq$(gq$(gq
                                                                                                                                                                                                                                          • API String ID: 0-1248210538
                                                                                                                                                                                                                                          • Opcode ID: 0510aff9c3425751bae5399e2ca393499cf6c22e4b1b9564141aa8dc0aee6b53
                                                                                                                                                                                                                                          • Instruction ID: 59b203e7f68b4d3d468e075b9071ee3011f982c785cf391069ee9df868cf47ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0510aff9c3425751bae5399e2ca393499cf6c22e4b1b9564141aa8dc0aee6b53
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F881D236B001148FCB05EFB9E45569F7BE6EF84710B1580AAE50ACB391EF34EE058791
                                                                                                                                                                                                                                          Function 044C85C0 Relevance: 2.9, Strings: 2, Instructions: 432COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$d
                                                                                                                                                                                                                                          • API String ID: 0-4050097227
                                                                                                                                                                                                                                          • Opcode ID: 99b34491c440d81287887cdc7a8a8536687ee227595282ac3f46ecfe83543792
                                                                                                                                                                                                                                          • Instruction ID: 10b93f696ada55fa8dc1141833724ecb390974c098666c6558a8e991778b5d60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99b34491c440d81287887cdc7a8a8536687ee227595282ac3f46ecfe83543792
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2F1BC38A00A058FDB50DF19C48496ABBF2FF88315B19CA6ED45A9B761D730FC46CB90
                                                                                                                                                                                                                                          Function 044C6C20 Relevance: 2.9, Strings: 2, Instructions: 419COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$|7Cp
                                                                                                                                                                                                                                          • API String ID: 0-2058215864
                                                                                                                                                                                                                                          • Opcode ID: a7dd55a3e4a2f49e84237169f9ed902425d0349a6996a3c0ae517581eb79aa92
                                                                                                                                                                                                                                          • Instruction ID: 768053729093bce2094779ddcc3c766acfd7f6aabe54f7d5f42851b51cad5449
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7dd55a3e4a2f49e84237169f9ed902425d0349a6996a3c0ae517581eb79aa92
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8E1EFB9B001158FCB649F69C4945AF7BE2FFC9310B19845EE4469B395EB30ED428B82
                                                                                                                                                                                                                                          Function 044C1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $cq$$cq
                                                                                                                                                                                                                                          • API String ID: 0-2695052418
                                                                                                                                                                                                                                          • Opcode ID: c7ac1dbd3251880e26cbe7ed56fe9aa2d8a8c64dab5a02495cd0c4328691fe7f
                                                                                                                                                                                                                                          • Instruction ID: 30934ff61bbd15b845d2b04ef6f2c724fa11c06dd41b4de8e30c841ff1d9300a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7ac1dbd3251880e26cbe7ed56fe9aa2d8a8c64dab5a02495cd0c4328691fe7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1451CE39B012089FCB55DF79D8906AEBBF6EFC9350B18816AD409D7356DA30AC42CB91
                                                                                                                                                                                                                                          Function 044C4EC0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$4'cq
                                                                                                                                                                                                                                          • API String ID: 0-3668452910
                                                                                                                                                                                                                                          • Opcode ID: 027d8f67558d2f18331f0f727c986dd7f840566f8bf567acc41c3b7dbc2e4880
                                                                                                                                                                                                                                          • Instruction ID: ea965945e808a3340063a7e131b7cc30a590aadea2606dee6dbc9f2f6765f22e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 027d8f67558d2f18331f0f727c986dd7f840566f8bf567acc41c3b7dbc2e4880
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2641ACB8B042588BCB45EF6DC85066F7BA6BFC5345724459AD005CF386DF34ED068BA2
                                                                                                                                                                                                                                          Function 044C30EC Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$LRcq
                                                                                                                                                                                                                                          • API String ID: 0-639173862
                                                                                                                                                                                                                                          • Opcode ID: 805ebfaeb9754bc06133aaedfc5ce2f2faa2dce52daf814eb1cffcbd6cf64a75
                                                                                                                                                                                                                                          • Instruction ID: d9ddf1f9c8540d85000a28462e7548dbaa71f6c92ed7bc7cc071348b4aef3eef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 805ebfaeb9754bc06133aaedfc5ce2f2faa2dce52daf814eb1cffcbd6cf64a75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C41F079B052144FDB49AF78985473F3BA6EF85304B08C46EE802C7396DE34E8428790
                                                                                                                                                                                                                                          Function 044CA228 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$(gq
                                                                                                                                                                                                                                          • API String ID: 0-3425431731
                                                                                                                                                                                                                                          • Opcode ID: 7bdc6ce17086d03d3c55dd11cfbfdd03d6420597c70b370d9b6af0523a653aa5
                                                                                                                                                                                                                                          • Instruction ID: 719706ca6c4f8ec8862bec8f8e341ea9f11cd13d2aeba90646fb3d862a41be8f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7bdc6ce17086d03d3c55dd11cfbfdd03d6420597c70b370d9b6af0523a653aa5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E241E634B041549FDB55CB68C894B9EBBF2EF89710F18809AD405BB391DF35AD06CB90
                                                                                                                                                                                                                                          Function 044CEA88 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$T;Cp
                                                                                                                                                                                                                                          • API String ID: 0-372350733
                                                                                                                                                                                                                                          • Opcode ID: e86ebc02b2655a9ab856eb6d108a4af3b1f5c4526af3f2906e7819a93b87a75f
                                                                                                                                                                                                                                          • Instruction ID: a54d1ef4dfe7959d90cee4d63fe8576ed73a587117a8dc4221c4a3193ea3078d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e86ebc02b2655a9ab856eb6d108a4af3b1f5c4526af3f2906e7819a93b87a75f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE31DF39B002054FDB18DA2DD85587FBBA6EFC8650724447EE506CB390EF34ED028B91
                                                                                                                                                                                                                                          Function 044C99B8 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: e4b8a82e4a5b2900f18bce3a7109118087a0c9d39197ac228a243a7ad3f40533
                                                                                                                                                                                                                                          • Instruction ID: af213b4928950d5c50c6d901faa36ade77fd2f246d9f0fed1d1d5f2eed7f7f0b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4b8a82e4a5b2900f18bce3a7109118087a0c9d39197ac228a243a7ad3f40533
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6E14C74A003599FCB45CFA8C884A9DBBF2FF89304F19819AD809AB355DB74ED45CB50
                                                                                                                                                                                                                                          Function 044CE1F0 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Ahq
                                                                                                                                                                                                                                          • API String ID: 0-3216777023
                                                                                                                                                                                                                                          • Opcode ID: e8e0dfe4b34186166686e2b150b20c7fd99449a3bf22a73e61b56d7ea101f277
                                                                                                                                                                                                                                          • Instruction ID: 8161bdbf20fc1b3489bf1592e3d350fee92dbd6b765ed97bc51b8e5fcd5c5a32
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8e0dfe4b34186166686e2b150b20c7fd99449a3bf22a73e61b56d7ea101f277
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47C16078B102198FDB55DFA9D8546AEBBB2BF88300F28442AD406EB355DF34ED02CB51
                                                                                                                                                                                                                                          Function 045B9FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 045B9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142073361.00000000045B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045B0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_45b0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: 34abf098d733f36e21c5454ca08a6be64fad748e006d630949ff4c83f928f45e
                                                                                                                                                                                                                                          • Instruction ID: 739c06eeac1d3211dfe83a43589cbae6a956e125088692d090a7f9178fec486f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34abf098d733f36e21c5454ca08a6be64fad748e006d630949ff4c83f928f45e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D113A36B0160CDFEB10CA78E4843DCBBB1FB89328F148525D55553290EA36BD48EB90
                                                                                                                                                                                                                                          Function 045B9FD0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 045B9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142073361.00000000045B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045B0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_45b0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: b75199aacf089b58ecd253ebe436b6cfd65604a3dde7c774c0cdefcb1a581164
                                                                                                                                                                                                                                          • Instruction ID: 7b724ffc395cb6e7497f67ee314a060bb6392c938cd3000bd22fd5d93b8371ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b75199aacf089b58ecd253ebe436b6cfd65604a3dde7c774c0cdefcb1a581164
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A113636E01A089FDB14CA78E8843DDB7A1FF89368F148514C891631A0EB31AD4AEB91
                                                                                                                                                                                                                                          Function 044CBE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Qfn^
                                                                                                                                                                                                                                          • API String ID: 0-1093184708
                                                                                                                                                                                                                                          • Opcode ID: 0f6120bf59e94481a9a363546e3f7b236ccabd08d9d43fc3a31e907f196c898e
                                                                                                                                                                                                                                          • Instruction ID: db8bbf0836a190eb4224f2d7ac24eb3469bfed772a219d0e0be3f3c16eabeec9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f6120bf59e94481a9a363546e3f7b236ccabd08d9d43fc3a31e907f196c898e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10B18B78B006058FDB15DF39D58496ABBF2FF88205B048569E90A8B365EF34EC06DF51
                                                                                                                                                                                                                                          Function 044C1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 09c97ddf189d015ff2c68e7168248004ff9e30529add38c3af88d6cc284ac698
                                                                                                                                                                                                                                          • Instruction ID: d36a6cc7cf4594027b9b8117fada451352b2e2c171e475c17499a1ef7166bfa6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09c97ddf189d015ff2c68e7168248004ff9e30529add38c3af88d6cc284ac698
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F471A479F002148BDF55ABB5C85466EB7A7EFC8310F18802AE506EB3A5DE34EC428B51
                                                                                                                                                                                                                                          Function 044C6048 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: cff7c0bd7688cef48b4649f898e1667b5544a1d34d9f345a4360192b85815e9f
                                                                                                                                                                                                                                          • Instruction ID: 19061bcdf42dc346d22bcf72f5084d6cc5c8435fcf528ea44039ca2448cf6bf3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cff7c0bd7688cef48b4649f898e1667b5544a1d34d9f345a4360192b85815e9f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF713D78A006089FDB05EBE8C8606EEBFB2FF88314F104469D1167B791DF39AD459B52
                                                                                                                                                                                                                                          Function 044CBE33 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Qfn^
                                                                                                                                                                                                                                          • API String ID: 0-1093184708
                                                                                                                                                                                                                                          • Opcode ID: d1344560205c75f28e89f230bf8d21e1c28ec07cbe610a901b6ba92eb599645c
                                                                                                                                                                                                                                          • Instruction ID: 733832b9b33338da6ad04eecd91a39de299b8ebba8758e233f6dd8194c6634e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1344560205c75f28e89f230bf8d21e1c28ec07cbe610a901b6ba92eb599645c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67717B78B006058FDB05DF38D49496EBBF2FF88204B048669E9468B355EB34EC46DF91
                                                                                                                                                                                                                                          Function 044C68E0 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 71aae686d6419bb28e82d3ae9999358c1eb9dfe671839c41205df3939c86a041
                                                                                                                                                                                                                                          • Instruction ID: 64541c00224f4909f6994c9cdaeb175ca62b555c4e1235b41ed27a9251b0a7d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71aae686d6419bb28e82d3ae9999358c1eb9dfe671839c41205df3939c86a041
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2614B7AB002059FCB01CF59D8809AABBF6FF8D310B1580AAE959DB321D731ED15DB90
                                                                                                                                                                                                                                          Function 044CE7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<Cp
                                                                                                                                                                                                                                          • API String ID: 0-1453738391
                                                                                                                                                                                                                                          • Opcode ID: 1eeee86961421d0d867b583ad1780fcad78e58aecf47717557637c7f29896f49
                                                                                                                                                                                                                                          • Instruction ID: d19e065fc5327c1d7deeb63dfff7b608a74cb6fb8b8d716e00200c345866fa10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1eeee86961421d0d867b583ad1780fcad78e58aecf47717557637c7f29896f49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80616F38B001098FCB95EFA9D55466EB7F6AFC8700B24842ED506E7394DF74ED068B91
                                                                                                                                                                                                                                          Function 044C6BF1 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: |7Cp
                                                                                                                                                                                                                                          • API String ID: 0-2866306775
                                                                                                                                                                                                                                          • Opcode ID: 45925d575dddfaa91de4a458f92595bad6e3758db952c56821f1701d99247eea
                                                                                                                                                                                                                                          • Instruction ID: a4f98e8a5685413a20ecdd3d26bd0cda6c1730a140551a2a0813d9ce7e3869f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45925d575dddfaa91de4a458f92595bad6e3758db952c56821f1701d99247eea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20516A74B001058FCB45DF68C995AAEBBF2FF84210B16C56AE4059B396EB30ED45CB91
                                                                                                                                                                                                                                          Function 044C0C1C Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 53b33243ac14a210dc195a9d82b0aab6353c00e62dc0e5ef05fe8b8f2ab1e4b0
                                                                                                                                                                                                                                          • Instruction ID: 488b618ae10ac7962254c42ba656e79b153d14795c9a940c9ce6683edc5aa3e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53b33243ac14a210dc195a9d82b0aab6353c00e62dc0e5ef05fe8b8f2ab1e4b0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE51D234E052449FDB549B68D8647BE7BB2AF89310F58846ED447E7382CE35AC06CBA1
                                                                                                                                                                                                                                          Function 044CC4D8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 01c64951853066f6e8cadb549574b47bde9e6c9ba206d17eba7210e486727c0b
                                                                                                                                                                                                                                          • Instruction ID: 37293427c025595b5321a370b4568bd3199890e9e3f8aec840b9d938516dcea5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01c64951853066f6e8cadb549574b47bde9e6c9ba206d17eba7210e486727c0b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7351B4393046518FC726DB24D49896BBBE2EFC53047088AAED44A8B762DA74FC46C790
                                                                                                                                                                                                                                          Function 044C57B8 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 2c9220e1f6b2a75a42621a35c46b719a5785f9b933a211a6f9b44a511fd41f4d
                                                                                                                                                                                                                                          • Instruction ID: 2afc3f164cdd81b52c0f83199eeab504310b07ca6110eaf936b66ff985e64675
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c9220e1f6b2a75a42621a35c46b719a5785f9b933a211a6f9b44a511fd41f4d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8131F86150E3C04FD717D7358CA8B9A7FA59F93104B0984DFC089CB5A3EA68994BC367
                                                                                                                                                                                                                                          Function 044CE428 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Ahq
                                                                                                                                                                                                                                          • API String ID: 0-3216777023
                                                                                                                                                                                                                                          • Opcode ID: af5ddc616ae5c54f54ce663bf456d8868be5075332bacd75fd88e570a434210e
                                                                                                                                                                                                                                          • Instruction ID: 25b52f38ec07eb188410df2ca968a5a5d88d0e742b80e15e3b9491ebb3d49084
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af5ddc616ae5c54f54ce663bf456d8868be5075332bacd75fd88e570a434210e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91414074B102149FDB55DFA9D854AAEBBB2FF88300F64442AE401AB351EF74AC02CB91
                                                                                                                                                                                                                                          Function 044CE438 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Ahq
                                                                                                                                                                                                                                          • API String ID: 0-3216777023
                                                                                                                                                                                                                                          • Opcode ID: 8e715290999293b9f0b5462fdc8e1f9c9fe6ae534c8d1bbeabffaeec52f24b91
                                                                                                                                                                                                                                          • Instruction ID: 157daefc4cd302d42749a428743452ff2b3524507c78b9944c7e56ddacdffca6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e715290999293b9f0b5462fdc8e1f9c9fe6ae534c8d1bbeabffaeec52f24b91
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12414F74B102149FDB55DFA9D854AAEBBB2FF88300F64442ED402AB355EF74AC01CB91
                                                                                                                                                                                                                                          Function 044CE7C7 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<Cp
                                                                                                                                                                                                                                          • API String ID: 0-1453738391
                                                                                                                                                                                                                                          • Opcode ID: 6352c8b884716a74b5334f2a810ec8535697b021aec8a768a3ff48cdaeb28a2a
                                                                                                                                                                                                                                          • Instruction ID: ae96853a264ab82b277e5a4d9564c3f02ab9b4bb4e273dc4c416809f1d302959
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6352c8b884716a74b5334f2a810ec8535697b021aec8a768a3ff48cdaeb28a2a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D418F35B005048FCB59AF69D4946AFBBF6AFC8700B24842ED406E7394DF75AD068BA1
                                                                                                                                                                                                                                          Function 044C85B0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: cc572f7ce2466237976816b9c5b4ac31d207929e4a35966e11e320eed4f6f391
                                                                                                                                                                                                                                          • Instruction ID: 56654b8c5fc9e1c95b5e7aa511605bcefa48c45ae9febe4850ba35023841ac5b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc572f7ce2466237976816b9c5b4ac31d207929e4a35966e11e320eed4f6f391
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A419C38B00605CFDB50DF59C48496ABBF2FF89315B19896EE45AAB751DB30F841CB90
                                                                                                                                                                                                                                          Function 044C858F Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: 6a292253f6d571eb0900b289243503b2e1ec8307821161ffa9f90529a2ef0a1b
                                                                                                                                                                                                                                          • Instruction ID: 8a5476f76d3645ace03bc513c08d9e8ae3cfc40ebe5e410d62f91031dc93ced7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a292253f6d571eb0900b289243503b2e1ec8307821161ffa9f90529a2ef0a1b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB41B938B006048FDB50DF19C484A6ABBF2FF89315B1A895EE45AEB311DB34F802CB50
                                                                                                                                                                                                                                          Function 044C4E90 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 4'cq
                                                                                                                                                                                                                                          • API String ID: 0-182294849
                                                                                                                                                                                                                                          • Opcode ID: 8203a0d540fdcde69f4bc4cb279a6a734e70dc18c0482a308d3dafab34748997
                                                                                                                                                                                                                                          • Instruction ID: d5b7a7044373666e50eff4987416668862c95cf457a8cb15d97e7ef27707979d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8203a0d540fdcde69f4bc4cb279a6a734e70dc18c0482a308d3dafab34748997
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1331A078600649DFCF15DF68C9909AF7BB6FF85304B15859AE4048F352DB30E906CB91
                                                                                                                                                                                                                                          Function 044C3719 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRcq
                                                                                                                                                                                                                                          • API String ID: 0-4134321033
                                                                                                                                                                                                                                          • Opcode ID: d4b25f22e18974a3e66d3579ab9e80e665aaa4ec755fa3d9d187c21059cd2853
                                                                                                                                                                                                                                          • Instruction ID: 6df2a43833d7d2e502485031a78c3e2113a4e3e72b8abf7edc519a124882a6c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4b25f22e18974a3e66d3579ab9e80e665aaa4ec755fa3d9d187c21059cd2853
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E821F379B012454FDF94CF7498857BF3BE6EB85208F18C42EE806C7295EB30E9028750
                                                                                                                                                                                                                                          Function 044C45C8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq
                                                                                                                                                                                                                                          • API String ID: 0-1972435379
                                                                                                                                                                                                                                          • Opcode ID: d5729490857262aafd0f94a36304ef33bf8d632a7da8340af68b5f64e0736229
                                                                                                                                                                                                                                          • Instruction ID: e8ca0461b9accbdfca1549138cdda63c76447e99d4de86c34786b00fa011733e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5729490857262aafd0f94a36304ef33bf8d632a7da8340af68b5f64e0736229
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 542103797002009FDB04DB6DD45486E77E7EFC932071944AAE149CB355EE38EC478B51
                                                                                                                                                                                                                                          Function 044CAF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;cq
                                                                                                                                                                                                                                          • API String ID: 0-3782417593
                                                                                                                                                                                                                                          • Opcode ID: 8aa053c1e19123b64cdea0643079d71668ec4e4c2b0e9393db41811333fa284b
                                                                                                                                                                                                                                          • Instruction ID: 4ae1a13e91fe32f2bf7644a8f48267e642d9313df4ed9149b6045370705b5675
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8aa053c1e19123b64cdea0643079d71668ec4e4c2b0e9393db41811333fa284b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23119E763002054FAF148AAEA490A6BB7DAEFC8229318803BE50EC7745DE75FC004390
                                                                                                                                                                                                                                          Function 044C5F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRcq
                                                                                                                                                                                                                                          • API String ID: 0-4134321033
                                                                                                                                                                                                                                          • Opcode ID: 59e6d3789f38ce539191b006ed943c310e54de0ee64e539bc0a48fad5d4a474f
                                                                                                                                                                                                                                          • Instruction ID: b62e81cb00a5b78a822deccb905938e067ebaf9deafbe162a759dd9e3825478e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59e6d3789f38ce539191b006ed943c310e54de0ee64e539bc0a48fad5d4a474f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5218E38B001089FDB189B69C454AAEBBE6EF88714F14805EE502AB390DEB5AC018F90
                                                                                                                                                                                                                                          Function 044C5F46 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRcq
                                                                                                                                                                                                                                          • API String ID: 0-4134321033
                                                                                                                                                                                                                                          • Opcode ID: 4fd50b9a5167336acecc940b6b9dba319566bc5c1e20c04b7aa361ef84d9fdb8
                                                                                                                                                                                                                                          • Instruction ID: 5e97fcc0ea6afcdc0d0ab101ea9a27ae9147bb94ac36c220d3ebd1e4cd034a7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fd50b9a5167336acecc940b6b9dba319566bc5c1e20c04b7aa361ef84d9fdb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0216F38B001089FDB589B69D455AAE7BF2EF88714F24805EE902EB394DE756C028F91
                                                                                                                                                                                                                                          Function 044C3370 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fhq
                                                                                                                                                                                                                                          • API String ID: 0-1191864245
                                                                                                                                                                                                                                          • Opcode ID: 1790108cd47916234c4da85ed83b78e429abb4a06a3ba5a99621bde3dae1aeb4
                                                                                                                                                                                                                                          • Instruction ID: 20f88361f002fb5122a8c5ef62c25a7cb3ecf091d3ed0b7164768234f6fbf5fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1790108cd47916234c4da85ed83b78e429abb4a06a3ba5a99621bde3dae1aeb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87119435B005185FDB099FA5A8946BF7BAAFBC8714F108029F90AD7340DF3489179791
                                                                                                                                                                                                                                          Function 044C3380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fhq
                                                                                                                                                                                                                                          • API String ID: 0-1191864245
                                                                                                                                                                                                                                          • Opcode ID: 131d063478c16fb9bdd735dc51cebed0926d7f0b4ebe2bf4c2e7689d4d2ab25d
                                                                                                                                                                                                                                          • Instruction ID: faa2358b0e09dfef070b16f445577d91d456b8837ccc70b3db08ebb8beb9d065
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 131d063478c16fb9bdd735dc51cebed0926d7f0b4ebe2bf4c2e7689d4d2ab25d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E118279F001185FCB09AFA5985497FBBA6FBC8710F008029F90ADB340DF348D169BA1
                                                                                                                                                                                                                                          Function 044CEA75 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: T;Cp
                                                                                                                                                                                                                                          • API String ID: 0-3326353506
                                                                                                                                                                                                                                          • Opcode ID: aca959ca5913448d5ed3147bd38c6ae2a0d622ec4117496e3778226464f629e4
                                                                                                                                                                                                                                          • Instruction ID: 66092f40c0369f4332d6da3baf9e33d3a1425822721606de8a3319756d7fe442
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aca959ca5913448d5ed3147bd38c6ae2a0d622ec4117496e3778226464f629e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7F0E9393052501FC7051A2D689489FBFBBABCA65036900ABE408CB353DD659C074766
                                                                                                                                                                                                                                          Function 044C99A8 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9138ead0999121b806e8ec3d9187f9476b8d7050f1563f1effbac004305fd1fd
                                                                                                                                                                                                                                          • Instruction ID: 26e39cc9797a10011f4d2f9d9b4334020ca28240405867a2d44f55217523438d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9138ead0999121b806e8ec3d9187f9476b8d7050f1563f1effbac004305fd1fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9D11A78A003599FCB55CFA8C884A9DBBF2FF89304F18819AD809AB355DB74ED45CB50
                                                                                                                                                                                                                                          Function 044CABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 89a30485db6dfcc65526399b8fe0877d8d20e291080a86103388d3e5d9f800c6
                                                                                                                                                                                                                                          • Instruction ID: a3e75d173c8a865625b13f72669ee917ac843e40370caa7f7c88211598431695
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89a30485db6dfcc65526399b8fe0877d8d20e291080a86103388d3e5d9f800c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F75103397001058FDB999F29D498A2A77E7BFC971532980AEE006DF375EE70EC069B40
                                                                                                                                                                                                                                          Function 044CB48F Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 456fc773d2d7af6ae3830b64c99ecf6f3a0fe7340f4e9fde8336ab3ea2a0cf0b
                                                                                                                                                                                                                                          • Instruction ID: 375b98bf6b2137f1b3359f7022d131392474173ec5887107516350d41bb6e1e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 456fc773d2d7af6ae3830b64c99ecf6f3a0fe7340f4e9fde8336ab3ea2a0cf0b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E351AFB550A3D15FD7039B28ADA55D63F75EF5321470A41C7D8808F2A3EA28A90BC7A2
                                                                                                                                                                                                                                          Function 044C5482 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6756ab26e6bca1d7e0cba6319528ab03d0a6a92aba200740adc9040da73db37e
                                                                                                                                                                                                                                          • Instruction ID: 33a55be2da89eee9a633209fdeae91dabf4b8b52ed4bcf4d8bbf2ba94e430994
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6756ab26e6bca1d7e0cba6319528ab03d0a6a92aba200740adc9040da73db37e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82512978A0020DABDB05EBA8D8556AEBBB2FF88304F404428E601BB394DF356D45DF61
                                                                                                                                                                                                                                          Function 044C34A8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 65459d01c403d97a87deacd724cec02edb9cba558d2f909ef3e49b690d782a22
                                                                                                                                                                                                                                          • Instruction ID: 2a238825fed1c0ad092631388e100edf6886f5591b4bad616fb6e2daa879d4ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65459d01c403d97a87deacd724cec02edb9cba558d2f909ef3e49b690d782a22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D851937871051A5BCB06EB28D59056EB7A7EFC4704B408A69F40ADB355EF70ED4B8BC0
                                                                                                                                                                                                                                          Function 044CB4FD Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c749a2fedb2f695190d54ecee1bed51d0523d33eb3a100a44ee542baea58812d
                                                                                                                                                                                                                                          • Instruction ID: a90c118843f24c07145eb03fc7c7b845b7253bc7f8a2c8e97ed261947307087c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c749a2fedb2f695190d54ecee1bed51d0523d33eb3a100a44ee542baea58812d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B41D6B560A3945FD703DB34EDA15D63F75EF52214B0940D7D480CB2A3EA34AA0BC7A2
                                                                                                                                                                                                                                          Function 044C34B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a22334c20986d82761fa30b2d2b2b96172d8efff70fd060cefb319328e28b17
                                                                                                                                                                                                                                          • Instruction ID: f75d6b269407095994c2a1218aec5407b804f14832b8aca60ba74f6306128350
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a22334c20986d82761fa30b2d2b2b96172d8efff70fd060cefb319328e28b17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D51917871050A5BCB46EB28D55052EB7A7EFC4704B408A28F40ADB355EF70ED4B8BC1
                                                                                                                                                                                                                                          Function 044C5490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a7e4c5f708a08af78f29901f8682b0df5fce4a7343183ecfca789a26a99e429b
                                                                                                                                                                                                                                          • Instruction ID: ded734ed8d353afc1b197547115be3ed142f36696e9eae03f958346dcbd92943
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7e4c5f708a08af78f29901f8682b0df5fce4a7343183ecfca789a26a99e429b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7511978E1020DABDB05EBA8D8546AEBBB2FF88304F504428E6017B394DF356D45DF61
                                                                                                                                                                                                                                          Function 044CB4F7 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5681e42e650b192ae642a87ba25196c33aedf5dd5e36ba82faa0777a4da35e28
                                                                                                                                                                                                                                          • Instruction ID: b219f48c161d1fe7d190e883b828e26a4f4f105883aa9c7497092f503a174683
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5681e42e650b192ae642a87ba25196c33aedf5dd5e36ba82faa0777a4da35e28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F41E67560A3955FDB139B34ECA55D63F75EF42214B0940D7D880CB2A3DA34990BC7A2
                                                                                                                                                                                                                                          Function 044CF681 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5edbe3948355d7fabd5c8137bc1961b241c166b9073eac4cde233567b27cf3a
                                                                                                                                                                                                                                          • Instruction ID: 6a4a6d7ca519de36d6d2810d48d2025fc7c7367e64544071e113cc7a1ff4e982
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5edbe3948355d7fabd5c8137bc1961b241c166b9073eac4cde233567b27cf3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E741E1756042544FCB16DF28D8849AFBFFAEFC9304B04445AE046CB2A2DA34AD0ADB61
                                                                                                                                                                                                                                          Function 044CE1E0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a28515cc4dee9b7096d7b98c1942b5bb1b01b8c420e0176bc46ed23a9d247637
                                                                                                                                                                                                                                          • Instruction ID: a06b28aa245df179865f50a863a5ed2a743db6cf91bbbc526fccfc8115dab334
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a28515cc4dee9b7096d7b98c1942b5bb1b01b8c420e0176bc46ed23a9d247637
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60413B75E112499FCB14CFA9D58499EBBB2FF89300F288169E405AB365DB30ED46CB80
                                                                                                                                                                                                                                          Function 044C2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5db54f51e5e7adb69aaa5f18f14153e92fd692caf5d474257b9ea2baae55578d
                                                                                                                                                                                                                                          • Instruction ID: 9f759298cb3da55bfcc107f60e1e4baed90a8ae659902be22032b71e13947367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5db54f51e5e7adb69aaa5f18f14153e92fd692caf5d474257b9ea2baae55578d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87410C39B00118DFCB54DF69D98099EBBB2FF88714B14816AE905EB361DB71ED41CB90
                                                                                                                                                                                                                                          Function 044CF6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3d7ffa7317415042133798a52ef484cafe8aa586107d7c8024501c6309e818a6
                                                                                                                                                                                                                                          • Instruction ID: d2d1182c2aab9b69ca2f53c03f619d80484efc40804a1d7918ee2e8163570756
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d7ffa7317415042133798a52ef484cafe8aa586107d7c8024501c6309e818a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77418D747046558FCB15DF28D888A6EBBFAFFC9304B044469E146CB3A2DA78ED09DB50
                                                                                                                                                                                                                                          Function 044CB080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5cc3ebc27e94cba2ac0b2277f146bbda20dc90cdfd151d1e0f52bd988353400c
                                                                                                                                                                                                                                          • Instruction ID: ea9012c2c57dc4d854669a965be0b23948722053e7f2da274ec99c8c143e9e11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cc3ebc27e94cba2ac0b2277f146bbda20dc90cdfd151d1e0f52bd988353400c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9831AC39B000458FDF10CE6AE881AAAF7AAEF84255B18C16AD519C7315DB71F8058B90
                                                                                                                                                                                                                                          Function 044CCACF Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7c0d507b48a6d8db2a79c3d542973f12d4bc66de5bf9400093f07aac1b0c6324
                                                                                                                                                                                                                                          • Instruction ID: ace9bd099505a86240ed39a572432f263b4a484177938e086d8d4616d261f9b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c0d507b48a6d8db2a79c3d542973f12d4bc66de5bf9400093f07aac1b0c6324
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D21D13A7056119FDB618AA9ECD49A7BBA5EF8571430940AFD408CB362EA21EC03C791
                                                                                                                                                                                                                                          Function 044C310C Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 885e312c996be1336cb6fb074f91b8439d1985634813d8157f35b7dc17334adb
                                                                                                                                                                                                                                          • Instruction ID: bb7ef9a994c36b2e29261d8e66aac783d2a198cb8512957339f7a864e26c0dd5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 885e312c996be1336cb6fb074f91b8439d1985634813d8157f35b7dc17334adb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C921CE39A452582FDF521AB528203FB3F64EF42320F08C0AFEC49D6253C8249892C390
                                                                                                                                                                                                                                          Function 044CC558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eda1d92721ccb114005aef762258e455791c9679b6bb91259ac2549dd103913e
                                                                                                                                                                                                                                          • Instruction ID: 6c6c75dd5c974f6f2c47b67090e34d445b6764cbb70dfa2a2613cd3209b8d1a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eda1d92721ccb114005aef762258e455791c9679b6bb91259ac2549dd103913e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 853172793046018FC725CF24D5D8966BBF2FFC93147088A69D48A8B762DA34FC46DB90
                                                                                                                                                                                                                                          Function 044CB598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0e4f8ba7a5608f5781de42e251956274fa3433f40d56bf04dc504274a0f714e0
                                                                                                                                                                                                                                          • Instruction ID: 31a20f940c42446be914993233b86ced02728fac14e85630eddd8e1630bf99db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e4f8ba7a5608f5781de42e251956274fa3433f40d56bf04dc504274a0f714e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1621B038B00208CFDF25DF74E8456AA7BA6FB84705F04816AE8058B384DF30A846CB91
                                                                                                                                                                                                                                          Function 0288D6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.2142526637.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_288d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 41ddeef5dda746208e75098f764cc8ade55b51469fb059f36b4c6882db6614d2
                                                                                                                                                                                                                                          • Instruction ID: 5a3a9c274f68735786289122703f4aa33b09281a57aa3a21dbe2929991ba9f86
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41ddeef5dda746208e75098f764cc8ade55b51469fb059f36b4c6882db6614d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E22103BD504244DFDB15EF24D9C0F26BF65FB88328F24C569D9098B286C336D416CAA1
                                                                                                                                                                                                                                          Function 044CB930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 856b316789a83b6b1a83a701182acdbd44e195d952df7c577a90904325acd70e
                                                                                                                                                                                                                                          • Instruction ID: 29b60b0ddb1f876896e7dbe0ccdf097d74f382fd1209a444e8691a6c11d51d87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 856b316789a83b6b1a83a701182acdbd44e195d952df7c577a90904325acd70e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E112E757042414FAF64DA6EE491A3BB7D6EFC8261718843FA94ACB346EE71FC018790
                                                                                                                                                                                                                                          Function 044C3A29 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 89bb1fb1713e15fe799ce98c7878864ae355ba78d5937fb51a896db0dd69e69a
                                                                                                                                                                                                                                          • Instruction ID: a0975216e9a1b6b1ba7709009e10984a1aad560cfd61625a2027341ab7810578
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89bb1fb1713e15fe799ce98c7878864ae355ba78d5937fb51a896db0dd69e69a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A21A434E401089FDB44DB69C890AEE7BB2EF8C315F54842ED806A7351DE71E857CB90
                                                                                                                                                                                                                                          Function 044C28F8 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30920a1ddd34e410b23b78d3da6d3ce4a31f52a4db7fbbf259dd7e81b2db3726
                                                                                                                                                                                                                                          • Instruction ID: f7616cf56bfdea229ed5852053054237de0c458f930f78fb97b7d5c9a2813060
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30920a1ddd34e410b23b78d3da6d3ce4a31f52a4db7fbbf259dd7e81b2db3726
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A1158A690E3D55FE7039B38ACE51C97F70EE1321871A04D7C0C1CB1A3E9244A0BC3A6
                                                                                                                                                                                                                                          Function 044C30FC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 11a561c317f4851cbd4a27ea4adfe587cc5700e1a6c543730d4abd40568f5558
                                                                                                                                                                                                                                          • Instruction ID: bd276c294b9306ce465e90467f070b17db7b58d90fb1f26e0b3bf3fdb11378e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11a561c317f4851cbd4a27ea4adfe587cc5700e1a6c543730d4abd40568f5558
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3711EC28B192A40FEF656B7958503BF2F9A8F86714F4984AFCC82CB783DD54DC464391
                                                                                                                                                                                                                                          Function 044C2258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d30e63ec583afefffa688859926d95f3a788143eac98eb0919e8a90bded31ebc
                                                                                                                                                                                                                                          • Instruction ID: f43b92bc1fc2b0cfaaaad996227222c6839a71fd91aae37df30eb3ed00f7f400
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d30e63ec583afefffa688859926d95f3a788143eac98eb0919e8a90bded31ebc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2021F979E102189FCB54DFB9D8809DEBBB1FF48710F14816AE905AB361EB719842CB90
                                                                                                                                                                                                                                          Function 044CA219 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 633db7fd13750cda35b8a515a42e349f1f5ef406af1d28c7ca7bb5c0b0f52c8f
                                                                                                                                                                                                                                          • Instruction ID: 941effa54bc7132253a50c8190bd25db90f6a83adc007c99c032df3b60413ab2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 633db7fd13750cda35b8a515a42e349f1f5ef406af1d28c7ca7bb5c0b0f52c8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF112C34B001099BDB55CF95C994BDEBBF5FB88710F25805AE805BB350DA71AD468BA0
                                                                                                                                                                                                                                          Function 044C3A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b367ee1ab6822299248f7699688e3cd783d084dd5e483324e5571d25cd47f916
                                                                                                                                                                                                                                          • Instruction ID: c908f04b220e8c02044afd872d5c8474325fb38e616ff05326e67a136ae1cf74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b367ee1ab6822299248f7699688e3cd783d084dd5e483324e5571d25cd47f916
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A117274E402089FDF48DF65C850A9E7BB2AF8C314F54842ED40AE7381DE75E956CB90
                                                                                                                                                                                                                                          Function 044C1958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4fd558d0dbb644399809fde3ec60d14349aa862df43a59dbfa18552a6edc865d
                                                                                                                                                                                                                                          • Instruction ID: 06a0da0e9973dae8d63bcd0d57f7f73cd1bcae1d846ec4f3113b08f270a547a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fd558d0dbb644399809fde3ec60d14349aa862df43a59dbfa18552a6edc865d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C215C74E412449FCB44CBA4D495AA9BBB2EF8C311F548819D84BE7340CF71E956CB90
                                                                                                                                                                                                                                          Function 044CAAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 766fd36f6216d648fffecb4912f1fb6e2e032d0fce7849b9bc8ddb6f660077cf
                                                                                                                                                                                                                                          • Instruction ID: 64c9ae1987835141e964ce242940943b5760b6ad911486dc8b1573e0235849af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 766fd36f6216d648fffecb4912f1fb6e2e032d0fce7849b9bc8ddb6f660077cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8021C478E00209DFCF44EFA8D580AAEBBB2EF88314F50459AD505B7350EB34AA45CF91
                                                                                                                                                                                                                                          Function 0288D69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.2142526637.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_288d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71348e1cf9f81afd844df1a17d1983415161240bd78486831a29afc2cc4373c2
                                                                                                                                                                                                                                          • Instruction ID: 8839baf4567dd988dfc455b173bee4ae59da3a4cb94ed06b2c9d29587e5cb491
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71348e1cf9f81afd844df1a17d1983415161240bd78486831a29afc2cc4373c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D11E67A504280CFCB16DF20D9C4B16BF72FB84324F24C6A9D9094B656C33AD45ACBA2
                                                                                                                                                                                                                                          Function 044C1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d969825da2a4cb331a4b0b4be5174475e86d50892e0fcd230f5bf25c49f8839e
                                                                                                                                                                                                                                          • Instruction ID: ec531d08ddd4f659ed43934b1f4cb8d9d7e3ef679b0f1acbcb04ddb0c3f6750d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d969825da2a4cb331a4b0b4be5174475e86d50892e0fcd230f5bf25c49f8839e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9621F3B59002498EDB20CFAAC484AEEFBF0EF48314F14852ED459A7240CB356905CFA1
                                                                                                                                                                                                                                          Function 044C1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c566560098013fd5f764dc00413415959dd6bcd76a52d97a24223298e905362a
                                                                                                                                                                                                                                          • Instruction ID: da7bbc1bce09469fff462641952de2fb85c1352b25acd77877a7710f2b4a439a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c566560098013fd5f764dc00413415959dd6bcd76a52d97a24223298e905362a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF11E3B59042498BDB20DFAAC885AAEFBF4FF48324F14842AD51967240CB756905CFA1
                                                                                                                                                                                                                                          Function 044C1440 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8488cab28075425d83a46921ce71a2e943ad92350cd63108974acb3e1f5e3459
                                                                                                                                                                                                                                          • Instruction ID: 8c41725e8eb5ad5455ad981b0d1dd37c7701d0376c2c94ecae8fd5ebb324424c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8488cab28075425d83a46921ce71a2e943ad92350cd63108974acb3e1f5e3459
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58019234E0A3864ECB4A8F7859726263FB9DEC32103890DAFC54BCB193E914D9158791
                                                                                                                                                                                                                                          Function 044C1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 52ad29d48c32ab4684310649715be7172f2e7e0ad64f959cf6134ee2bb8b04c2
                                                                                                                                                                                                                                          • Instruction ID: ae9089bb5477efee26f6fa75555e9bad684695a63e5c5d8183ed6ba3bce35de8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52ad29d48c32ab4684310649715be7172f2e7e0ad64f959cf6134ee2bb8b04c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C113D75E412089FCB44DBA4D458AA97BB6EF8C311F944419E40BE7380CF71E956CBA1
                                                                                                                                                                                                                                          Function 044CB070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a6743a4f10d20119f99dd83eab8a6ca8d92dd903c01fb005d4e0642882f9b3ca
                                                                                                                                                                                                                                          • Instruction ID: 29fc2b731389276faae0039696d8f20004d7f9ecfbb90dcbc4b72a4c71afed6d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6743a4f10d20119f99dd83eab8a6ca8d92dd903c01fb005d4e0642882f9b3ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2901D179B001428FDB14DA6AA890AABFBA6FFC8354708C13AD45CC7355DA71E806C791
                                                                                                                                                                                                                                          Function 044C182A Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f85f80a41cf53fb71e5e3629940216e87a90c256585ea974496379efcd2fe18
                                                                                                                                                                                                                                          • Instruction ID: 8c4f9b48c470f51f43d987780de16e4eb53acd5adebc6028a1d8ff00100eca3e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f85f80a41cf53fb71e5e3629940216e87a90c256585ea974496379efcd2fe18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD01D435A0450487EB64A6B885517FF7BF69B88700F18442EC406E3782CE716C028BA0
                                                                                                                                                                                                                                          Function 044C56C2 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 429f0817b4fff393df82d0c9a8783fd701aa540de7e7a47222b272fd7c4de037
                                                                                                                                                                                                                                          • Instruction ID: bf2776e575f260ea56234256bceb60da3e971194b245b968568f0f4ed776e154
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 429f0817b4fff393df82d0c9a8783fd701aa540de7e7a47222b272fd7c4de037
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C00147B42006047FE315AB68D8846AE7BD6FFC171C744096DE109DF202EF75AC0B9BA2
                                                                                                                                                                                                                                          Function 044CB920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4fa993cca9739d6d7b9fa2741e55acde8e941e2931ed769cc07994d7ab074383
                                                                                                                                                                                                                                          • Instruction ID: c1a243676892d93fb219144417e25fd98111a547722d47aae51d06c18997755d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fa993cca9739d6d7b9fa2741e55acde8e941e2931ed769cc07994d7ab074383
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C601A2757042804FEB54CA1DE8A0A7BBBE5DF89360719807ED849CB742DA31FC01C750
                                                                                                                                                                                                                                          Function 044CCB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: be80841ff76471b69a7fba8a7203bceba9fca9686ecf99c091e802678917a8c4
                                                                                                                                                                                                                                          • Instruction ID: f0a2a0fbb7b070a9d1f8d696c65b8068da0c4178d58f054d9f490ae7adb41f54
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be80841ff76471b69a7fba8a7203bceba9fca9686ecf99c091e802678917a8c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3F0903A7481144FAB448AADBC84A2FB7EAFBC4B65319013FE509C3351EF61DC028794
                                                                                                                                                                                                                                          Function 044C576F Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de65fa3105b4eb078dc29cc9f91b8ff71676b76b9315dec5503966f017803500
                                                                                                                                                                                                                                          • Instruction ID: 24c3069b5ce4bbea55d808f57aae87baa3651b6140d6f36c0494f70f11e433e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de65fa3105b4eb078dc29cc9f91b8ff71676b76b9315dec5503966f017803500
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D01D679200B109FEB51EB1DE480A9A77D6EF84724744886AE04ACB215EB34FC468754
                                                                                                                                                                                                                                          Function 0288D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.2142526637.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_288d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 54c540110a7441a74e4c32d3987520fb0cae6a465cc67e2bf2cb0a56d2dab4ce
                                                                                                                                                                                                                                          • Instruction ID: b75687ae6998720d7148729ba346c4c8d4439d82a4e7d11211fd4b23acd1cb2c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54c540110a7441a74e4c32d3987520fb0cae6a465cc67e2bf2cb0a56d2dab4ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7701F2790083489AE721AA39CD84B67BF98DF42338F18C51AEC4C8A2C6C3799841C6B1
                                                                                                                                                                                                                                          Function 044C67E2 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c442ac3761a26b457f53d8b29a08ce21d87f273927c05c572148c7d9050c2d5
                                                                                                                                                                                                                                          • Instruction ID: 6e0a279d060acabe0fa6ddf73803d146a8f384d06f91c0f9612c68a56477aba7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c442ac3761a26b457f53d8b29a08ce21d87f273927c05c572148c7d9050c2d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC0112B8D00608AFDB44EFB8D5915DD7BF6EF89304B1085A9D404EB251EA346A059B81
                                                                                                                                                                                                                                          Function 044CCB7F Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9c9da48186c8c4dd6c8c7b6a7931fb54c07c50e1426cd085f6179e820029ea87
                                                                                                                                                                                                                                          • Instruction ID: 4a027b596d57127ad0cd2e7ed25ea0ad951f26b62bc0b2760ca23865ac21cf48
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c9da48186c8c4dd6c8c7b6a7931fb54c07c50e1426cd085f6179e820029ea87
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2F0BE397055205FD7408BADBCD4AABBBBAFFC4654305006FE108C7362EA21DC038790
                                                                                                                                                                                                                                          Function 0288D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.2142526637.000000000288D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0288D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_288d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c6509c967d5cdd478e54a53fe1be41c75be8d29203c0548703c1c50525596d18
                                                                                                                                                                                                                                          • Instruction ID: f00dad058f225ede5621ebd252587e0d9bf169c80795230f3f20f1d241dc8193
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6509c967d5cdd478e54a53fe1be41c75be8d29203c0548703c1c50525596d18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A014C6500E3C05ED7228B358D94B62BFB4DF53224F19C1CBE8888F1A7C2695849C772
                                                                                                                                                                                                                                          Function 044C6769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d44c832033b6e2a65a324c95ad71f16789b1fa16233acd95b0d31ef58b5f2628
                                                                                                                                                                                                                                          • Instruction ID: 0c9354c6a5ce0c92a24abd9af64564627968268baa65d1948d49197aa6edd3db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d44c832033b6e2a65a324c95ad71f16789b1fa16233acd95b0d31ef58b5f2628
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94018F3AB02501EBDF51CB64C68065EF3E6FB88325B96CA3AC41A9B344D731ED45CB80
                                                                                                                                                                                                                                          Function 044CE3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: da39560132a2fd922bf0a76f15713d8f8a267c9b2a5c4b334357947a6b37fdc0
                                                                                                                                                                                                                                          • Instruction ID: d68d7e9ae372075d815ebcc0363e1834a352276b4a18bc2d252e8afd92446097
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da39560132a2fd922bf0a76f15713d8f8a267c9b2a5c4b334357947a6b37fdc0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D01D67AB006188BEB059A68D85136E77A3FBC8710F64855AE605AB340DFB0BD0697C0
                                                                                                                                                                                                                                          Function 044CE36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 90581a57b45d2140baad532e84d5ee6365e00461b9a4da0120e62a7bd7cfb142
                                                                                                                                                                                                                                          • Instruction ID: 8e83570751e262a4f3886ba9369f57ca9d7c7b68ec76483db4528a2d6f6370e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90581a57b45d2140baad532e84d5ee6365e00461b9a4da0120e62a7bd7cfb142
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AF0C87AB006144FEB059A68D85136E77A3FBC8650F58C55AE605AB340DFB0FD06D7D0
                                                                                                                                                                                                                                          Function 044CAF00 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 66153538f6268399d4195d46325d8bf61abe203f3dab510cbc35a82272aa94df
                                                                                                                                                                                                                                          • Instruction ID: aec7979ddeec102ba8a1d0ae51dca4b180ddc6ebf3cf672dea71ad02522a2e4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66153538f6268399d4195d46325d8bf61abe203f3dab510cbc35a82272aa94df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37F0E2F2B002051FDB548A5E68D09ABABE9EFD8224304802BE40DCB301EE64EC0243A0
                                                                                                                                                                                                                                          Function 044C4551 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2686116e7f431667be7b2b4640aa3342f3b0809d721202f385448f7eafda9a69
                                                                                                                                                                                                                                          • Instruction ID: 097c33c310135122a164df43eb522aed6fb4cf668b7d38d7f62246a8b5342ead
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2686116e7f431667be7b2b4640aa3342f3b0809d721202f385448f7eafda9a69
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74F0E9797049101FD312A76CA8A159B7BE6EFC525834444ADF14DCF241EE14984787D6
                                                                                                                                                                                                                                          Function 044C6038 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 44a1fed8f1386db28b4690c3889f750819167729e6c08493ef0a5545085f579f
                                                                                                                                                                                                                                          • Instruction ID: ae12a628de0676ac1d6ee024df0b885e5c523b2bb24a336be175a5f4ed70bd60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44a1fed8f1386db28b4690c3889f750819167729e6c08493ef0a5545085f579f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FF0F435114BA04FC3219B19E444297BBE0FF8275CB04481ED0C64AA52E7F5A449C781
                                                                                                                                                                                                                                          Function 044C56D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d319dbc8e43e654139dd40954c81f45faf346cdda08493d7b05b491e2ef020b7
                                                                                                                                                                                                                                          • Instruction ID: ecee4940e8970d9e0ae885914fffe810739aa2d767f7080179eb6b635c871fca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d319dbc8e43e654139dd40954c81f45faf346cdda08493d7b05b491e2ef020b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F028743002046BD715A7ADD44066E7AD6FFC1718780492CE10A9F200DF79BC0AABA1
                                                                                                                                                                                                                                          Function 044C6880 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0f328c5d46e6d9c6c5de62fbaec24202e8aa94efec1c40729cbc6acc0aab6e2e
                                                                                                                                                                                                                                          • Instruction ID: c881d537b026782e147b1708002084feb055c657e594d3acb75efebf66af7638
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f328c5d46e6d9c6c5de62fbaec24202e8aa94efec1c40729cbc6acc0aab6e2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6F0FE6111E6A16FC322873CACA55C2BF75FE5721435A42E7D084CB153E6259887C3E2
                                                                                                                                                                                                                                          Function 044C67F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25f32d74857a1a864e0167826b0656e0069dadac3b5e2d3d3f726abd3d0d85c7
                                                                                                                                                                                                                                          • Instruction ID: 545582dca0d759a8a6679a601deb8c9d7f2aad8ddf44de2c2cba3664baec8b15
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25f32d74857a1a864e0167826b0656e0069dadac3b5e2d3d3f726abd3d0d85c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A01FF78E0020CAFDB44EFB8D54159D7BF6EF89204B5085A9D404EB251DA346E059F81
                                                                                                                                                                                                                                          Function 044CAEBF Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ca6dd361745f8e658cb980302a5c2d52183f3e617e9aaefa452aded8fbc46107
                                                                                                                                                                                                                                          • Instruction ID: 62f45b947fb45d50fc5e7ece0961e22b2d1e71d7e50340591ba81ad1a9931598
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca6dd361745f8e658cb980302a5c2d52183f3e617e9aaefa452aded8fbc46107
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53F08C6921E7D44FEB0757383CA119A7F21ED8361835A44EBC0C1CF0A3D528681E83B2
                                                                                                                                                                                                                                          Function 044C1431 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4a6d5f3bff82f5edcd8fdc882b27cbe8d0fa4e883e9298acd8dab163802ebdf1
                                                                                                                                                                                                                                          • Instruction ID: e163b760ab5286d7c17fde1a703f59cbaf8feb4246904846b0b25153fa638438
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a6d5f3bff82f5edcd8fdc882b27cbe8d0fa4e883e9298acd8dab163802ebdf1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32F04F74E062464EDB4A8F78556626A3FA6EEC23503890CBF8547CB193E920D5129B91
                                                                                                                                                                                                                                          Function 044C57A8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6b950c332cbf27f6c334757b8c10304f5243b620757fe7e48d750d4ad270e8e0
                                                                                                                                                                                                                                          • Instruction ID: 477747f84c16c28ea613105f6cfdda519bf93db1f9194df61fe05d3512114a79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b950c332cbf27f6c334757b8c10304f5243b620757fe7e48d750d4ad270e8e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF0E9743007005FDB11DB2CD89099B7BD5DFC631470848AEE049CB312EB64EC02C7A1
                                                                                                                                                                                                                                          Function 044C68D1 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 77de0ec7c6566347cca3805b00a849e5546a98f55c8a5b5c6f6f1b60f14a621e
                                                                                                                                                                                                                                          • Instruction ID: 2be158a646479a9b24004602668091bd35f491606cd6d1c3d2f8aff3911dd1f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77de0ec7c6566347cca3805b00a849e5546a98f55c8a5b5c6f6f1b60f14a621e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99F0963A6046556FCB12CF58D84088ABFF5EF8921030981A7E548CB222E631D905CB50
                                                                                                                                                                                                                                          Function 044C38B0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f5bd5f47d0bc377f48f4511130b160599718b3f05bddb901ea1ab520285a584
                                                                                                                                                                                                                                          • Instruction ID: 814f4f2af437f0a18e3ad11d25fc075c9c376b15bd235816468cf857a76ec7af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f5bd5f47d0bc377f48f4511130b160599718b3f05bddb901ea1ab520285a584
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86F0A7247186680EFF605B7955903EB1F998B86319F19817FCCC2CAB83D9C0E84683D1
                                                                                                                                                                                                                                          Function 044CC4C9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce1c7e7caedf30df1482970d3473f3d26c6ec42ff221fb567e2890ff67c0d48e
                                                                                                                                                                                                                                          • Instruction ID: 4b41141cfecd54b62123dff43eddcf4efce0809175264bba915ddb4912f361d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce1c7e7caedf30df1482970d3473f3d26c6ec42ff221fb567e2890ff67c0d48e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90F0973A3087105BC7238A288CC0AAB7BE5DFC1390B08456FE88C8B146E960FE45C3A0
                                                                                                                                                                                                                                          Function 044C45B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ecbb5d5d4fbe73007907b3959104783e5fcc37a9f68bcc504973ebda6ccd1fda
                                                                                                                                                                                                                                          • Instruction ID: f945605c6344752347c461fa44c36903089c184d80db66ef5e902513d5b28b93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecbb5d5d4fbe73007907b3959104783e5fcc37a9f68bcc504973ebda6ccd1fda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF0E9383046018FDB11DF2CE85096E3BE2EFC530434905AEE045CB362DB24EC068B50
                                                                                                                                                                                                                                          Function 044C46C8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fcbb92381104ae49e0a53e5f14b78d7d34204998c39a10dfeb56cd923ef97ae7
                                                                                                                                                                                                                                          • Instruction ID: 3d996ded856d54e166d91d34ea005bbe592f7193c267dc3cdfe3286d80a49303
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcbb92381104ae49e0a53e5f14b78d7d34204998c39a10dfeb56cd923ef97ae7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44F0B4B8D0A2089FCB40DFA8D5955ED7BF0EB42304B0040DAD418D7351E6345A0ADB81
                                                                                                                                                                                                                                          Function 044CAB90 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1daad17ed1c02f9fad3e62ef164429364ed7831c67a02b0365db063bb0e5e2cc
                                                                                                                                                                                                                                          • Instruction ID: 5dbc595764af4665fa6ab08e97b8e144a7e1348d41dc17123db0b06e77304e48
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1daad17ed1c02f9fad3e62ef164429364ed7831c67a02b0365db063bb0e5e2cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAF0E5353092005FC7558B39A8959AB7BBAFBCA62531580BEF10ECB361E914DC0A8350
                                                                                                                                                                                                                                          Function 044CC688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 05a398159b63ee690eaafa0a73a1b8ceacb1da573d6edefcc885ef1b7ad74d36
                                                                                                                                                                                                                                          • Instruction ID: 26501b2e21c9ec5358877cbac073f49139a228efd56b4e2bced870eca10adad3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05a398159b63ee690eaafa0a73a1b8ceacb1da573d6edefcc885ef1b7ad74d36
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDF02B397102164FCB48DA79D984867B7DAAFC83A0318A5BAD90DC7320EE71DC02D7C0
                                                                                                                                                                                                                                          Function 044C46A0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3fb75150553fe9d72a345789af306e60a578d49adc7cdd15a0002b770bad71e0
                                                                                                                                                                                                                                          • Instruction ID: a08176982bcb3ec2d157e784ce397600a63c895e94d0981df5db5b42f97bf2d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fb75150553fe9d72a345789af306e60a578d49adc7cdd15a0002b770bad71e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BF0A074D062486FCB51CBA4D4994E97F78EB82300B0040DAE88A8B321EA359E06DB96
                                                                                                                                                                                                                                          Function 044C36A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 022e8461f3e927510c720a6932f876ecd94422e0af6c919bb19f3a9ac57c906c
                                                                                                                                                                                                                                          • Instruction ID: 9318b0de6e51a9c478afdba9043a0d6f1d72632b449411686e217df223f53c45
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 022e8461f3e927510c720a6932f876ecd94422e0af6c919bb19f3a9ac57c906c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24E03971E005299F9BA4EEAC99542FEBBE4EE48105B24846FCC4AE7210F63196428BC0
                                                                                                                                                                                                                                          Function 044C4560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 55b0f7dd98ac843ea1211e47d8203dcf4c67185c2130b35aaf04777cd495663c
                                                                                                                                                                                                                                          • Instruction ID: d53d7a5af43e1fbebd5260601d3f6d1c1765bda6f5feb2adfb312897ac12c22b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55b0f7dd98ac843ea1211e47d8203dcf4c67185c2130b35aaf04777cd495663c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EE02239300A102B9616B6ADE82041FBAE6EFC46A8740487DF10DDB300DF24FC4687D9
                                                                                                                                                                                                                                          Function 044C6AAF Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 04a0df7db223d6b57573cb18d618a76ef18db91c1a69db66c4b7db6694dfa558
                                                                                                                                                                                                                                          • Instruction ID: c53223371e1fed387b20fb20870db2ab572f8eb7c43754a53e4a249d141126b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04a0df7db223d6b57573cb18d618a76ef18db91c1a69db66c4b7db6694dfa558
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F06D752092549FD711CF99D894CD27BE4EF5920530980AAE488CF353E722ED16CBA1
                                                                                                                                                                                                                                          Function 044CC678 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 03f4489b0d159a0482e863cfccb77f363b7d8ff42494b9136dc251731115c409
                                                                                                                                                                                                                                          • Instruction ID: 8af46bf22f69e6a3459f90e93e35bdec7865330ab588c3e0630ccbfa1c9d041d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03f4489b0d159a0482e863cfccb77f363b7d8ff42494b9136dc251731115c409
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6E0DFBA60531247D7058A209684292BBA6AF81254B0895AACD488B342EE72C843C381
                                                                                                                                                                                                                                          Function 044CC1D0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0613c787f289a35efbf2cb5a392abb37fd6ebfc144dfd46fe8636097ecf43b12
                                                                                                                                                                                                                                          • Instruction ID: cb4394446d80565239a327c43f08297d98f2e89f7c56244e337e0f75d6937ef5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0613c787f289a35efbf2cb5a392abb37fd6ebfc144dfd46fe8636097ecf43b12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADE06838201B000BC3016728E4981DF7FA5FBC131C7000819E485C7341ED746D0A8BD6
                                                                                                                                                                                                                                          Function 044C3CC0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 232ed9470eda416996035d27cec4d1b36224aff4336482e81b77f7f26a95fcf3
                                                                                                                                                                                                                                          • Instruction ID: 2ddddcb365fdd949b9034cf154ee6ae4d100d8d61da27bdf565ec3d92c696571
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 232ed9470eda416996035d27cec4d1b36224aff4336482e81b77f7f26a95fcf3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADE0263E7444A01B870125DE34284BE3B96DAC5A2A30900AFE409CB382CE154C4B1792
                                                                                                                                                                                                                                          Function 044C2998 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ea65ae4695ec7df28639c56ad354188b0bea270f7575c3f7cd09e498ab68d58
                                                                                                                                                                                                                                          • Instruction ID: 3caae8cc78cd7e2d66a3e03abc35291e8b560fd15f6e065c26595e87d70c9d29
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ea65ae4695ec7df28639c56ad354188b0bea270f7575c3f7cd09e498ab68d58
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAE086B42096441FE3129738E9A37CA3F62EF81B04F515999F0C28E5A7DE11594787C5
                                                                                                                                                                                                                                          Function 044C36B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction ID: 303249802eaff195a3cd50a591eff9ec99fbc33b55e841b251be4e960fd36fda
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AE0ED75F0021A9F8F90EFA999001AEBBF4AB48140B14C56EC919E7304F231AA028BD0
                                                                                                                                                                                                                                          Function 044C3CFF Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5f15f2b24d3921015e87c0aa98767f3c9e245b81c08cfb875b68a8158eceb0c
                                                                                                                                                                                                                                          • Instruction ID: acd0d311df4f38e90b5324b537127b4f89f7f0a73e4490221ff15c00957e8d2a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5f15f2b24d3921015e87c0aa98767f3c9e245b81c08cfb875b68a8158eceb0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53E0D87091528C9FC701DFB4FC914CD7FB5EF45204B1040D9E408DB252E9315F019792
                                                                                                                                                                                                                                          Function 044C17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 20973b395b2775b41031401bb3c34494bf7f572c527f9d133461dbec4ffa851f
                                                                                                                                                                                                                                          • Instruction ID: e1a77c5a6448cce9808d727c0a5b5303a4fbf8435387fe2fdce81aa7c1350a10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20973b395b2775b41031401bb3c34494bf7f572c527f9d133461dbec4ffa851f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BE0C2372196540FC709D775A8964E97FB5EB6611030840ABE88287263CC210C53C780
                                                                                                                                                                                                                                          Function 044CC1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b88e1f9502ea0f6d02af404f91e93081528cff6578c48139da7175fc7abce89
                                                                                                                                                                                                                                          • Instruction ID: 94e3674481845d0838e0e36d1c37327c5d260673069ba694548f7e534ff672ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b88e1f9502ea0f6d02af404f91e93081528cff6578c48139da7175fc7abce89
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59E0C239200B0447C215776CE00455EBBEAFBC5769B00082DE44687700CE75BC4A9B99
                                                                                                                                                                                                                                          Function 044C6AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4bfaac737776bc068277aa386c89db463f221f8d979f62b540b1bfd4ea73e1d1
                                                                                                                                                                                                                                          • Instruction ID: d7345ca5309d9603793c0289b91d0fe7de68e6f3a2aa8731b81fa20940b474d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bfaac737776bc068277aa386c89db463f221f8d979f62b540b1bfd4ea73e1d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54E08C75300204CFD700DF4CD880C92BBE9EF59214315C09AE888CB312CB62FC12CB90
                                                                                                                                                                                                                                          Function 044C3CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c586afb1780c36a50816810b921193eed8b52065b19e8456548389ddad7a919d
                                                                                                                                                                                                                                          • Instruction ID: 3d687ec09ca8e2eea6ad274ad803324630e070894d7cb8e299abd8c04caaad2f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c586afb1780c36a50816810b921193eed8b52065b19e8456548389ddad7a919d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22D0A73E340520230A04259E741C42E77DFDBC9E65308003FFA0AC7340CE559C4627E5
                                                                                                                                                                                                                                          Function 044C3938 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ecc1a0e2a93404bc337278c975293cefb6f3b5bd3f3b19c0bd9a833616391d47
                                                                                                                                                                                                                                          • Instruction ID: cc9ee79c4d7ad745f94ed711e3ec6504ff0c568c3057699d0d9ee4ee65f34de3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecc1a0e2a93404bc337278c975293cefb6f3b5bd3f3b19c0bd9a833616391d47
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30D09515F4A3A05FCB1042F814502ED2F75CF42210F1585EFCC45DF243C4604C438340
                                                                                                                                                                                                                                          Function 044C46D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6e9c9453025fff795886b5f71cffdb20c9b8488bee460ef43fbabb370860874f
                                                                                                                                                                                                                                          • Instruction ID: ebff245dcc5f2755ca814cdd246129893abf139eea1c85002e4852b0768f7e0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e9c9453025fff795886b5f71cffdb20c9b8488bee460ef43fbabb370860874f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BE0B674E0520CAFCB44EFE8D44459DBBF5EF89304F0085AAE809E7350EA346A489F81
                                                                                                                                                                                                                                          Function 044C3C89 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9920ecb127995eeeb2454442455011aae0dade0e1440414f651689c18caff987
                                                                                                                                                                                                                                          • Instruction ID: 8e937307153814dfa8ef948544a1050ea08331aafc143671ca3c9255ac760f4a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9920ecb127995eeeb2454442455011aae0dade0e1440414f651689c18caff987
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15D0A73571CA448FCF489E74A8A51E93B51DA9110D30444DFD44AC7653F51555168B41
                                                                                                                                                                                                                                          Function 044C0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3c5a3d5d8227311af76b45950341c908fba66b2b6c2cbf6b29b5516136c72cff
                                                                                                                                                                                                                                          • Instruction ID: 59fdf450ecbbc390c9fab677790964e966c1125dce8a18cc81dbbb2e97302d4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c5a3d5d8227311af76b45950341c908fba66b2b6c2cbf6b29b5516136c72cff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12D0A73631451C5B47046659DC4586A7B99EB94360754483BF90283211DD70AC1187A5
                                                                                                                                                                                                                                          Function 044C3D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b2f42d1c93368f31710b44cd8116e8251c8797422fd4230585e72493d6ef6bdd
                                                                                                                                                                                                                                          • Instruction ID: 25194fd49d95a7ed4c16ea1e2fe3b1b11675576e925510fcf5efdabdfc8f306e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2f42d1c93368f31710b44cd8116e8251c8797422fd4230585e72493d6ef6bdd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BD05E74A0020CEFCB04EFB8E90155DBBF9EB88208F1045E9F408E7240EE316F00AB91
                                                                                                                                                                                                                                          Function 044C0440 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5aa7076dce7a907e60b65ad63ace48b9828f0c05985e52b305fcc541f0cf30d2
                                                                                                                                                                                                                                          • Instruction ID: 7e9691f321286c10ee6f096aee1e4fa0f0d4430fddd5d44e9125abf2c682f4c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5aa7076dce7a907e60b65ad63ace48b9828f0c05985e52b305fcc541f0cf30d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99D0127650A7908FD303C2AC48515D37BB4EE625013C8865BC4C286553912A1557C126
                                                                                                                                                                                                                                          Function 044CE32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a2a289b7da572cf2dc3d6caa9e4267f7c45f56d55e79e00e317bcba2de76173d
                                                                                                                                                                                                                                          • Instruction ID: f2a8057ba43a062c36c590a9be8dc89ae7da31ecd5dda60c912be645fb46234a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2a289b7da572cf2dc3d6caa9e4267f7c45f56d55e79e00e317bcba2de76173d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ABE0123460460ECBDF649FE1C5547AEB771BB44305F344419D401A6254DF746506CF80
                                                                                                                                                                                                                                          Function 044C2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ef2e1a3389fc2028dfa726993eab1eba6bbd49aedb1664c56573b1dde94dfede
                                                                                                                                                                                                                                          • Instruction ID: 48957da16636673a222b2aeb6537f658f0f5df7129c6e1b5f56b999d41d51406
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef2e1a3389fc2028dfa726993eab1eba6bbd49aedb1664c56573b1dde94dfede
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74D05E7590120DEFCB04DFB4ED4595DBBFDEB45210B2086A5A808D3211EA305E008B80
                                                                                                                                                                                                                                          Function 044CA3A8 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 64ab7bdf5805a9ea890fd693c20084e2b99b2c73cfbe98e7d3292b806c13945f
                                                                                                                                                                                                                                          • Instruction ID: b6ff08154be66d8c345285471b4fc1c9de618e9d1f2baf99d94b1e9e0e201573
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64ab7bdf5805a9ea890fd693c20084e2b99b2c73cfbe98e7d3292b806c13945f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44D012396053199B8A055A55D910855BB2AAF8566832C84ADD94C1F715CE33EC53CBD0
                                                                                                                                                                                                                                          Function 044C3C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 41e1b98c5ba4911f2f492e91fd938026ca17080f3f2a281709e78dae24500642
                                                                                                                                                                                                                                          • Instruction ID: ef02353548479772d53cdbfeca5c7e09d12812fbb86603b0f1b487d6e2526148
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41e1b98c5ba4911f2f492e91fd938026ca17080f3f2a281709e78dae24500642
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18D0C9353142089BCF989EA4E5555297799EB8860830488ADA80AC7341EB26F9129A80
                                                                                                                                                                                                                                          Function 044C46B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5c091ce1375641218624841be9165b160b37b681ec2e008257c9afc9f3f7a3a4
                                                                                                                                                                                                                                          • Instruction ID: 9c36901621b78b4dc7758e87f6a76a77276b82de15794381bc3e918e4af5488b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c091ce1375641218624841be9165b160b37b681ec2e008257c9afc9f3f7a3a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9B092B090630CAF8620DA99980186ABBACDB0A210B0001D9E90887320D972A91066D1

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 044CF7E8 Relevance: 7.6, Strings: 6, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.2142021707.00000000044C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_44c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$,gq$,gq$Hgq$`]hq$`]hq
                                                                                                                                                                                                                                          • API String ID: 0-485096735
                                                                                                                                                                                                                                          • Opcode ID: 6202828af8587e898a4bf81c30e5a7086b8079b66ba8eecadd4666b0318be4de
                                                                                                                                                                                                                                          • Instruction ID: f499a3a7b36595d4024d43366da8b3a8f682eaad03efd33499ad0f99d333d491
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6202828af8587e898a4bf81c30e5a7086b8079b66ba8eecadd4666b0318be4de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7341E579B149148FCF64AB2C941446E37E7EFCA62132900AFD106DB3D1DF68EC4687A5

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 051850B8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \VJm
                                                                                                                                                                                                                                          • API String ID: 0-4047210350
                                                                                                                                                                                                                                          • Opcode ID: 6ddc0f910a242bbfe0f46220704837da17ec2d34de6538530e59fa0b9061dc1a
                                                                                                                                                                                                                                          • Instruction ID: abbe879375a689087d0adc11b8f7ab22c6c4cbe994d3fda1ee4a50f6714e48b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ddc0f910a242bbfe0f46220704837da17ec2d34de6538530e59fa0b9061dc1a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3B12A70E04209EFDB24DFA9D885BADBBF3FB88314F158129D815A7294EB749846CF41
                                                                                                                                                                                                                                          Function 051859A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2f040ff333511d4a272bef43e4d431c96d6bbbb86c8ef95aa213152a7345c06c
                                                                                                                                                                                                                                          • Instruction ID: b0c11400fdee0158b439d9c42f495a1eeea797f27651a2a2e08410a8aafaf252
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f040ff333511d4a272bef43e4d431c96d6bbbb86c8ef95aa213152a7345c06c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AB15E70E04209AFDB24DFA8C885BADBBF7FF88314F158529D819A7254EB749845CF81
                                                                                                                                                                                                                                          Function 05181080 Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • roperty from JsonReader. Current JsonReader item is not a property: {0}, xrefs: 051811B9
                                                                                                                                                                                                                                          • roperties defined by union '{0}'., xrefs: 05181305, 0518130F
                                                                                                                                                                                                                                          • (gq, xrefs: 051811A8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$roperties defined by union '{0}'.$roperty from JsonReader. Current JsonReader item is not a property: {0}
                                                                                                                                                                                                                                          • API String ID: 0-1873886537
                                                                                                                                                                                                                                          • Opcode ID: d011c8d748174771a42a52ce108bc0a719a5d315935daa9ab6b7ebf6b6b16c78
                                                                                                                                                                                                                                          • Instruction ID: bfd32b22f65b6a88d1aad07456e64573ecc49119e030db3faf46950474151df5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d011c8d748174771a42a52ce108bc0a719a5d315935daa9ab6b7ebf6b6b16c78
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D71B436B006049BDB29EBB5C854A7EBAA7BFC8310F158029E506AB395DF74DD42CB50
                                                                                                                                                                                                                                          Function 05181630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $cq$$cq
                                                                                                                                                                                                                                          • API String ID: 0-2695052418
                                                                                                                                                                                                                                          • Opcode ID: 906e0f98cdbcb2f69af3a1fa04d73c1921dbee1c19adfcac964e6e5e65966420
                                                                                                                                                                                                                                          • Instruction ID: f08e0d7cb712caa9acc302018d42b5ca0fd626c1309d954bc953f370032fd9bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 906e0f98cdbcb2f69af3a1fa04d73c1921dbee1c19adfcac964e6e5e65966420
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C351CE76B002089FCB25EF78C8446AEBBF6EF89350B24846AE409D7355DB309D06CB91
                                                                                                                                                                                                                                          Function 05180C1C Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • roperty from JsonReader. Current JsonReader item is not a property: {0}, xrefs: 051818D0
                                                                                                                                                                                                                                          • (gq, xrefs: 051818BF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$roperty from JsonReader. Current JsonReader item is not a property: {0}
                                                                                                                                                                                                                                          • API String ID: 0-923123227
                                                                                                                                                                                                                                          • Opcode ID: a1157e471a2bad9537fe361cef03d3bb9a5fc98e336ec433c1c7aaa488bea3c2
                                                                                                                                                                                                                                          • Instruction ID: 1116d19ab4193fef4f85795a6fdb12d25d1771efe6dd879415d9c4ec46cc8700
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1157e471a2bad9537fe361cef03d3bb9a5fc98e336ec433c1c7aaa488bea3c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8731FB36B442446BDB25B678986937E7FF7ABCA300F144469D402EB382CF784D05C791
                                                                                                                                                                                                                                          Function 051850AD Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \VJm
                                                                                                                                                                                                                                          • API String ID: 0-4047210350
                                                                                                                                                                                                                                          • Opcode ID: 68f76d67db6bda2b4069e2e793a803a89971d627340d27088f39254465585c28
                                                                                                                                                                                                                                          • Instruction ID: 890e486600237862bd78b6fd5e47165e792d3b8fffabb84b8b84127faa12ae3a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68f76d67db6bda2b4069e2e793a803a89971d627340d27088f39254465585c28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76C12870E04209EBDB24DFA8D885BEDBBF2FF48314F258129D815A7254EB749845CF91
                                                                                                                                                                                                                                          Function 05181968 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: JToken from JsonReader. Unexpected token: {0}
                                                                                                                                                                                                                                          • API String ID: 0-3410615700
                                                                                                                                                                                                                                          • Opcode ID: 59683cab0acb1522129687ea9426594bf4d3776abdba55fbf3848a303bbb85fd
                                                                                                                                                                                                                                          • Instruction ID: f02d21e5a84702495efccabe769ed4de9c2c0052d2c04ba5d174b51878c222a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59683cab0acb1522129687ea9426594bf4d3776abdba55fbf3848a303bbb85fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6111235610644AFDB04DF64D855AAE7FF6FF8D315F144019E90AA7340CF796846CB90
                                                                                                                                                                                                                                          Function 05181440 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: g JToken from JsonReader. Unexpected token: {0}
                                                                                                                                                                                                                                          • API String ID: 0-303654760
                                                                                                                                                                                                                                          • Opcode ID: b8b87b92b2e250c8deb2a77fc2a1b2da96e01d5ad580177da7a9fdfe2a7a0a4e
                                                                                                                                                                                                                                          • Instruction ID: 17a16905a87ac95413cfc655cf95458b27f32ecd0ab357049523f2272d0d7ebb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8b87b92b2e250c8deb2a77fc2a1b2da96e01d5ad580177da7a9fdfe2a7a0a4e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E01F9326183451FCB099F789C6262E3FB6FFC225070508A9D246CB292EF284805C780
                                                                                                                                                                                                                                          Function 05181431 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: g JToken from JsonReader. Unexpected token: {0}
                                                                                                                                                                                                                                          • API String ID: 0-303654760
                                                                                                                                                                                                                                          • Opcode ID: d8f3cf6aff35823f6fe7a92121139a273f9989b0255dcee6747d6fb627890f91
                                                                                                                                                                                                                                          • Instruction ID: 060d05e0233d9b9b2ea3ef6c9dcea4ba06a681f80fba64195f2470d69b1d0aa8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8f3cf6aff35823f6fe7a92121139a273f9989b0255dcee6747d6fb627890f91
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DF096776143066ADB18AFB4995762E7FAAFFC229074408699606CB251FF249901C7C0
                                                                                                                                                                                                                                          Function 05185EB0 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t null value to {0}.
                                                                                                                                                                                                                                          • API String ID: 0-1624419876
                                                                                                                                                                                                                                          • Opcode ID: 08a9f12d0f36480e2e7941fa616290552a0b3025b2db857530bf03602928c682
                                                                                                                                                                                                                                          • Instruction ID: 5beca4e2398b86f40bdaa3137538464b730581f5709171c74f830b742175b151
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08a9f12d0f36480e2e7941fa616290552a0b3025b2db857530bf03602928c682
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68D0A7333442245BDB0496ACF885B9937A9DB49724F4400AAF609DB362CD55ED0147C9
                                                                                                                                                                                                                                          Function 05180C48 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t null value to {0}.
                                                                                                                                                                                                                                          • API String ID: 0-1624419876
                                                                                                                                                                                                                                          • Opcode ID: 1a095443e18ab57ed3efed1aa34d9435fd1e9a920196323f13646647cff2c354
                                                                                                                                                                                                                                          • Instruction ID: d9e0bc2212635b1b8cf42f6b79d2ded958faf5a34c216bbfa837c8da4c7032af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a095443e18ab57ed3efed1aa34d9435fd1e9a920196323f13646647cff2c354
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4D0A7323101205BC614A25CE85497D739AEF49714B41045AF109C7321C951EC0007C9
                                                                                                                                                                                                                                          Function 0518599C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5234c0bb8355cefa132fa8432a7dc99bdc8b65ff181bdd1fea7fb0a8cd27a7a7
                                                                                                                                                                                                                                          • Instruction ID: 17ffa27585b72a7ec09d204acee91fcc881db8f2346a1ba065dd9e17852e7f2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5234c0bb8355cefa132fa8432a7dc99bdc8b65ff181bdd1fea7fb0a8cd27a7a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FB15B70E04209AFDB20DFA8C985BADBBF7FF48314F198529D819A7254EB749845CF81
                                                                                                                                                                                                                                          Function 05182268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 13dbdb2abd235256f48e8a33ec9a7e963437e62b59571e6387ab625269a3a99c
                                                                                                                                                                                                                                          • Instruction ID: 99d1e0af122b1ccae7a910636c48b4ca851524bae41115cc1afe51f28bf01d62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13dbdb2abd235256f48e8a33ec9a7e963437e62b59571e6387ab625269a3a99c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4141F839B101189FCB55DF68D8849AEB7B6FF8C710B108169E915EB360DB31AD41CF90
                                                                                                                                                                                                                                          Function 05181050 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 074b0042e1c2fbd479fa4dfbf5517ae963b3fc07bf97bece0a21ab4ae920ec1a
                                                                                                                                                                                                                                          • Instruction ID: 7fead682550f7bde7cbf129dad4194aeab0ced0784ce801d08798492881e7fa3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 074b0042e1c2fbd479fa4dfbf5517ae963b3fc07bf97bece0a21ab4ae920ec1a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC214833B04350ABDB25AAB49C50ABE7FEAAFC4200F084066D902D7281EF74CD06CB91
                                                                                                                                                                                                                                          Function 05182B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7ae2859d8983109f39fbc8c21a04106d45edb219ca117d0c6c39cf04731fb46a
                                                                                                                                                                                                                                          • Instruction ID: aaeca8d8ff061508a2ce6fc86014589464f65cc03ab8d6e3a04061ff79167612
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ae2859d8983109f39fbc8c21a04106d45edb219ca117d0c6c39cf04731fb46a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB11E079B001144F8BAAFB7C54241BFBAE3AFC8251B150479C51AD7344EF348E028BD2
                                                                                                                                                                                                                                          Function 05182258 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d3a729061639f8d7e5717cd31272ac843e7ba83178185c589a3bac81458e86a8
                                                                                                                                                                                                                                          • Instruction ID: 2e9c9fe495116d43c2bdace557c1fb7fa8b2261df4155970e5351361ae325880
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3a729061639f8d7e5717cd31272ac843e7ba83178185c589a3bac81458e86a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3214779A102089FCB54DF68D88499EBBF2FF8C710F108129E905EB320DB31A941CF90
                                                                                                                                                                                                                                          Function 05181378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fb56ac41c881679eb46ddfde0c68267ff8a36fef907b272e2fb217e114083965
                                                                                                                                                                                                                                          • Instruction ID: 2526c10ec79e2802e4f8789ea7f03c0f540771378929fdb5c0a9cab7c3fd6752
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb56ac41c881679eb46ddfde0c68267ff8a36fef907b272e2fb217e114083965
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12213571C002498FCB20DFAAC881AEEFBF4FF58320F148429D45963200C7356946CFA1
                                                                                                                                                                                                                                          Function 05181380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3333b7433e2b5f414e2cbfe62d13ffe0ea255cc671316820a9cb75c7641727bb
                                                                                                                                                                                                                                          • Instruction ID: 7167aa35a4eb539fda56c2d695167d40881268e678c0befa608420ed25b659cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3333b7433e2b5f414e2cbfe62d13ffe0ea255cc671316820a9cb75c7641727bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D31106B5D042499FDB20DFAAC885AEEFBF4FF48324F10842AD91967240CB756945CFA1
                                                                                                                                                                                                                                          Function 05182B08 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4aa4d782ad019022d6a37760d5ee09b7853aad354a8a94470b0ebd3b6d51c1f8
                                                                                                                                                                                                                                          • Instruction ID: 2964bf5e18895bb7156858ddb841a26ac87608d0b029d4f8bd2988b3770097ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4aa4d782ad019022d6a37760d5ee09b7853aad354a8a94470b0ebd3b6d51c1f8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7019278B001108F8B65BB7854646BE7BE7AFC5241B190579D81AD7344EF348E028BD2
                                                                                                                                                                                                                                          Function 0364D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2148657796.000000000364D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0364D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_364d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8425423903611378cad064579a929b6ea9dce837fac0e211e5db82391d947539
                                                                                                                                                                                                                                          • Instruction ID: dc23e50dc4d43f15937965865464ee5ace224a5ca4302d50845736a12a3ad458
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8425423903611378cad064579a929b6ea9dce837fac0e211e5db82391d947539
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A01A271C08344AAE721CE29CA84B66FF98DF41B34F1CC55AED480B287C2799942C6B1
                                                                                                                                                                                                                                          Function 0518182A Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ccf7246568831dfc934015bd1f790fa8026bba45541f6f63d2b7075c63556cf
                                                                                                                                                                                                                                          • Instruction ID: 90e16e3557a33564f90600e8af1d17dda3d40037a51516455930e68b47467bc8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ccf7246568831dfc934015bd1f790fa8026bba45541f6f63d2b7075c63556cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4016232B00209A7DB28BA68C95A7BF7AF6ABC9710F15442DD106B7381CF755D05CB91
                                                                                                                                                                                                                                          Function 05182A68 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd02fe9ba1c51ac964d82417f2562a2c9f0a033ed256819a7b223eef99f05c80
                                                                                                                                                                                                                                          • Instruction ID: 14ce82b422a417505d0641b17afdcda666164d82781611361771ec6f9145f542
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd02fe9ba1c51ac964d82417f2562a2c9f0a033ed256819a7b223eef99f05c80
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E017139B002118FC715EB78D945BBE77F6EB88711B510069EA05E7360DB359A02CBC0
                                                                                                                                                                                                                                          Function 0364D006 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2148657796.000000000364D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0364D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_364d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c965f7f20884196adf03a9a6408439890e9dc5b81ad2ec8ab675980217df56bb
                                                                                                                                                                                                                                          • Instruction ID: 1b2a3aaf4788a880fd94d0847b1e594f83982f78bacdd4880f3b32083928244d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c965f7f20884196adf03a9a6408439890e9dc5b81ad2ec8ab675980217df56bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E01407140D3C05FD7128B258994B52BFB4DF53624F1D81DBE8888F297C2695844C772
                                                                                                                                                                                                                                          Function 05182997 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 334fef2260eb54289d012279f7958093638972d570abe604f5b0ce90c8a6e702
                                                                                                                                                                                                                                          • Instruction ID: 99a8abcd962645073397685beace51fecbe15401bf32418d347ede0ed6a06155
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 334fef2260eb54289d012279f7958093638972d570abe604f5b0ce90c8a6e702
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08F0A4353107005BD71AABB0EC4576E3BA6EF40600F54856CF5029B285DF75E942C7E0
                                                                                                                                                                                                                                          Function 05182A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ec4ac69a220dc7734971cfac6155c02ca456da8cef31bf7d1fdfdb4fef33a6e6
                                                                                                                                                                                                                                          • Instruction ID: 68777f58e247499044fdbd864df8d68f06fe5039f6aaceb2534fdc338a93f54c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec4ac69a220dc7734971cfac6155c02ca456da8cef31bf7d1fdfdb4fef33a6e6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A016D39B002158FC714EF79D804BAF77F6AB88710B100069EA09E7360EB31AA42CFC0
                                                                                                                                                                                                                                          Function 051829A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 255b18fc3da73594a5af3e69421166d418ba8f5a0a58e4d76766faa94b30f386
                                                                                                                                                                                                                                          • Instruction ID: b0dbaf45ffe0d3041a22e2aadac89423bd356a1cfd5875946131726cfb96e31c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 255b18fc3da73594a5af3e69421166d418ba8f5a0a58e4d76766faa94b30f386
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06F0B4353107009BC72ABB74ED44B6E3BAAEF80B00B408528F6029F685DF71A841CBE1
                                                                                                                                                                                                                                          Function 05182A20 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d41acad2acac3b96a4db2751f5778b3f9bb862a20d7a714bba87555f78c3df24
                                                                                                                                                                                                                                          • Instruction ID: af9f25d3f1e6cabc1172d265b7c4e380e40f2e3dda9f8cb7dc59bcf71a24bd17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d41acad2acac3b96a4db2751f5778b3f9bb862a20d7a714bba87555f78c3df24
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04E026313066244BC73A25B2E9063BE3E586F41951B060095F417D22C0CF1CC68287D4
                                                                                                                                                                                                                                          Function 05182A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1065690798f9fc6dee6f12b17532c6b43c5da8d7ca17c6d3301ead72d7c7a108
                                                                                                                                                                                                                                          • Instruction ID: a3352b395a243ea5c4f67b12c621b6451e3bab3e4db3b4a07f8ef370668ce4b7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1065690798f9fc6dee6f12b17532c6b43c5da8d7ca17c6d3301ead72d7c7a108
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44D02B30315A248BDA3A25B665052BE398D6F416517010065F43BC22C0DF1CC9438784
                                                                                                                                                                                                                                          Function 05182959 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5cc974111805fa2371b5c7fffde0d5c5206328117bd210c3f456b9cac3e1921a
                                                                                                                                                                                                                                          • Instruction ID: 86e8cd65bc884886892f8092ad0c398d8d871496aa953c51ae9915424060e191
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cc974111805fa2371b5c7fffde0d5c5206328117bd210c3f456b9cac3e1921a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FE0867A501208ABCB00CFB0EC46B5DBBBDDB44640F608665E404E3210EE34AF1187C0
                                                                                                                                                                                                                                          Function 05180C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b2b58a11d3c8b671b4bc5c996d1024c116f7c9e792845b7cfced04a77f3f7aba
                                                                                                                                                                                                                                          • Instruction ID: fe796dc2e47b5af1322c52a5db1b66719b5fb6ec4e4e8a4fd0a58712f3bfb317
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2b58a11d3c8b671b4bc5c996d1024c116f7c9e792845b7cfced04a77f3f7aba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09D0A73331011C6B47157A58DC8987AB7AEFB893A07504C23FA0183311CE706C158BD9
                                                                                                                                                                                                                                          Function 051817F0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6985f1a91598c5d5b44a984e9f991987a03e9cddcbd5cbf66724b728aca550be
                                                                                                                                                                                                                                          • Instruction ID: 0092adbea125566eb0183cffa734ed6239a72d9f0333f8aa19000163ac89d4a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6985f1a91598c5d5b44a984e9f991987a03e9cddcbd5cbf66724b728aca550be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DD02E3B2010001BC3061B20E81A6A67FAA9308220F084467E89183360CE3A4821C780
                                                                                                                                                                                                                                          Function 05182968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f73c2e35d811360f4e4e8a704836056bf4785499d5032d7efeba7b29e7e5351f
                                                                                                                                                                                                                                          • Instruction ID: 498f5e80fb9207dc3dacb3c9f1b44b333855aed8aeabb003ecfc04b457668732
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f73c2e35d811360f4e4e8a704836056bf4785499d5032d7efeba7b29e7e5351f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13D05E75901209EFCB00DFB4ED0495EFBFEEF45300B2086A5D808E3211EA306E008BC0
                                                                                                                                                                                                                                          Function 05180440 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab57127bb413f7957567235377bf1ffec6ba44afeefcb03856ec7c1ae821fe5c
                                                                                                                                                                                                                                          • Instruction ID: 7437d9d7ebffc365e4fc8742597fca1b005468a5db4ed608177101c45a3d0afa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab57127bb413f7957567235377bf1ffec6ba44afeefcb03856ec7c1ae821fe5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4C04C320A45005FCF004A80DD877C97B61F765315F954B24A08090510D62E85629714

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 05180E8C Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • roperty from JsonReader. Current JsonReader item is not a property: {0}, xrefs: 0518203E
                                                                                                                                                                                                                                          • g JToken from JsonReader. Unexpected token: {0}, xrefs: 051820FD
                                                                                                                                                                                                                                          • (gq, xrefs: 0518202D
                                                                                                                                                                                                                                          • ield values does not match the number of properties defined by union '{0}'., xrefs: 0518207A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.2147821948.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_5180000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (gq$g JToken from JsonReader. Unexpected token: {0}$ield values does not match the number of properties defined by union '{0}'.$roperty from JsonReader. Current JsonReader item is not a property: {0}
                                                                                                                                                                                                                                          • API String ID: 0-660900582
                                                                                                                                                                                                                                          • Opcode ID: 7cd7b8ea138adffbf02f3a21b4e393deb21407ab58e8296e7ea2b721003a5102
                                                                                                                                                                                                                                          • Instruction ID: d2d985c997f69dace4c3ead6989e04e60330f615c4c1c08cf2e5fd085d2c6421
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7cd7b8ea138adffbf02f3a21b4e393deb21407ab58e8296e7ea2b721003a5102
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6412B36B402046BDB28B668D8A4B7E77ABDFC9300F14842DE506EB381CF349D06CB90

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FF848610C1D Relevance: 9.5, Strings: 6, Instructions: 2014COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: wPH$HAPH$HAPH$HAPH$HAPH$hxPH
                                                                                                                                                                                                                                          • API String ID: 0-559960750
                                                                                                                                                                                                                                          • Opcode ID: ca725fcc8bee995014c61d072e90cc94de81fb07b9405be780dc58ad8058ac73
                                                                                                                                                                                                                                          • Instruction ID: 96ad69ab3a5fa54f456f53f993121e3deaf41710a16b91360b936d89241acd79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca725fcc8bee995014c61d072e90cc94de81fb07b9405be780dc58ad8058ac73
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CF229709185298FDBA9EF28C4987A9B3B1FF59345F5041F9D00ED7296CB39AA81CF04
                                                                                                                                                                                                                                          Function 00007FF84861184E Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HAPH
                                                                                                                                                                                                                                          • API String ID: 0-3422608591
                                                                                                                                                                                                                                          • Opcode ID: 5b74116f67b78575c71cbce06f19f3356dc04ebdf9163b3d619c9d17d8f8f5ab
                                                                                                                                                                                                                                          • Instruction ID: 5246902a5dfdecbdf65da6d8ed291b83d53d8e4299e57b828f99bec82f8f5e7d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b74116f67b78575c71cbce06f19f3356dc04ebdf9163b3d619c9d17d8f8f5ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52816D30D195698FEB98EF68C4987F9B3B1EB55345F5050B9D00DA7292CB79AAC0CF04
                                                                                                                                                                                                                                          Function 00007FF84861C922 Relevance: .5, Instructions: 460COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 413641f37677a3476c45e8fe876e676e65a9d6cc41fa9302ec741d51f8cb996a
                                                                                                                                                                                                                                          • Instruction ID: 01e053ca3adf0754f1f0c718281da5654110b5e0c9ce0b3b10ec212bbf586f51
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 413641f37677a3476c45e8fe876e676e65a9d6cc41fa9302ec741d51f8cb996a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFE1A33090CA8D8FEBA8EF68C8597ED77D1FB54350F04426AD84DC7296CF74A9448785
                                                                                                                                                                                                                                          Function 00007FF848611E7E Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 942c347659daa884bc2dcd16d1970ebadc7d5323917533e7a6b2110a664e59e9
                                                                                                                                                                                                                                          • Instruction ID: 6dc74bdd18bbdc99d87ff3e02136ff2b2a193b8779eb39f29f703b14ea36b783
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 942c347659daa884bc2dcd16d1970ebadc7d5323917533e7a6b2110a664e59e9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6615970D1C62D8FEBE5EA6898897E9B3B5EB55740F5041F9D00DD6282CB39AAC1CF04
                                                                                                                                                                                                                                          Function 00007FF848611E88 Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 24feffef75be91bd029c0ae21ed66cbb2c005e6ed6d4f97c16d52ecec06aee84
                                                                                                                                                                                                                                          • Instruction ID: f242a00b66a8a16c625d26206cafa73e6e88e4dd0e9cd1eb97fdbc80ee259055
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24feffef75be91bd029c0ae21ed66cbb2c005e6ed6d4f97c16d52ecec06aee84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63516A30D1C5298FEBA4EE68D8897E9B3B5EB55740F1041F9D00DD6282CB39AAC5CF44
                                                                                                                                                                                                                                          Function 00007FF848611EB6 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b7a242f005a2974663bacd2c42d0899a7e6166ec68fbcb47c4d17938e60dd4a2
                                                                                                                                                                                                                                          • Instruction ID: 6b5b8b63644d060545ff0f2fafe27c5c678d54a87e26165746b9fd4995613873
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7a242f005a2974663bacd2c42d0899a7e6166ec68fbcb47c4d17938e60dd4a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC513770D0852D8FEBA5EB6888897E9B3B5EB55740F5041F9D00DD6282CB39AAC1CF44
                                                                                                                                                                                                                                          Function 00007FF84861673A Relevance: 4.1, Strings: 3, Instructions: 386COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: P(oH$P(oH$P(oH
                                                                                                                                                                                                                                          • API String ID: 0-4201783767
                                                                                                                                                                                                                                          • Opcode ID: 1c3884b06b8ffbf92e54b9af3574ca2fa70b693af7148a0573f31b11788d57c9
                                                                                                                                                                                                                                          • Instruction ID: f0a7f53a1438af5b02d4dc778a01ca5ed093f511607147c114f7f9007fb8cede
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c3884b06b8ffbf92e54b9af3574ca2fa70b693af7148a0573f31b11788d57c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADD11775D0DA8B4FE7D5EF688859AB53BE0EF11390F0405F9D449CB193EB28AC498784
                                                                                                                                                                                                                                          Function 00007FF848610C89 Relevance: 3.4, Strings: 2, Instructions: 891COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HAPH$HAPH
                                                                                                                                                                                                                                          • API String ID: 0-2142215267
                                                                                                                                                                                                                                          • Opcode ID: bd0e7379da10d21e6e2df94a86f8b5686562158e36f793fe87b33524c0b5c8e3
                                                                                                                                                                                                                                          • Instruction ID: 4ce0c20d1246da40a83f4b3c125bca0ad42ed6e10d141a47324c07aa68034db6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd0e7379da10d21e6e2df94a86f8b5686562158e36f793fe87b33524c0b5c8e3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF72377091951D8FDB99EB18C4987A9B3A2FF58345F6041F9C00ED7286CF3AAA81CF54
                                                                                                                                                                                                                                          Function 00007FF848700853 Relevance: 2.2, Strings: 1, Instructions: 942COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223742885.00007FF848700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848700000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848700000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `eoH
                                                                                                                                                                                                                                          • API String ID: 0-3457982238
                                                                                                                                                                                                                                          • Opcode ID: cd87673c4792d382a2ddbaab39a2610c35f9cb64769eab8c23b7ce7927d7fb82
                                                                                                                                                                                                                                          • Instruction ID: 5440f32af4d02db18ed4f8670547f40ffd4b2946aafe6fb300392e53618089ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd87673c4792d382a2ddbaab39a2610c35f9cb64769eab8c23b7ce7927d7fb82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29F12830B0CA494FE759B62C982567537D1EF5B764F1402BED04EC72E3DE19AC42878A
                                                                                                                                                                                                                                          Function 00007FF848618295 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^
                                                                                                                                                                                                                                          • API String ID: 0-1590793086
                                                                                                                                                                                                                                          • Opcode ID: 99cb65b5a91ce4df45de8e53e3af7c9db31706bf0eb6c2f92e2474e38c24c08b
                                                                                                                                                                                                                                          • Instruction ID: 5358f1d82d5c378ac1bb176c4350f63f84f159668de9ba07d44e67eea4ec81e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99cb65b5a91ce4df45de8e53e3af7c9db31706bf0eb6c2f92e2474e38c24c08b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37F1D470909A1D8FDB95EB68C498BE9B7F1FF69301F1041AAD00DE7292DB75A981DF00
                                                                                                                                                                                                                                          Function 00007FF84861596C Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: M_^
                                                                                                                                                                                                                                          • API String ID: 0-3807191693
                                                                                                                                                                                                                                          • Opcode ID: 90dac746a6a8db9db21297fb067cd428cc96f316b8e4a1abcf00b5c1a3e52aa3
                                                                                                                                                                                                                                          • Instruction ID: 5d7206e238c25db1e51b38056bc9d8b5310e94aa13d2bcf8799e7008a941425f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90dac746a6a8db9db21297fb067cd428cc96f316b8e4a1abcf00b5c1a3e52aa3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57B18C32A0D6864FE354BF7CA85A1FCB791EF51362F0406BBD188CB193EE5D64498391
                                                                                                                                                                                                                                          Function 00007FF8487004DE Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223742885.00007FF848700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848700000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848700000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `>oH
                                                                                                                                                                                                                                          • API String ID: 0-2935316047
                                                                                                                                                                                                                                          • Opcode ID: 09b90cef78b128560bf25bcbad2607642824e5f99c11437f9559fc111bcabed3
                                                                                                                                                                                                                                          • Instruction ID: 527645c6df01d466858d41e874e59a94ad95b709370b803b7a3199eec5deee40
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09b90cef78b128560bf25bcbad2607642824e5f99c11437f9559fc111bcabed3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62412721E0DE854FE396E73C58669607BE1EF5B764B0900FBC089C72A3EA189C06C345
                                                                                                                                                                                                                                          Function 00007FF84861B679 Relevance: .4, Instructions: 414COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3a6c74a5874f2840495a83e6e440abc14e62c85ec111cc8a604f8ed9b988cf7b
                                                                                                                                                                                                                                          • Instruction ID: 3c51f0727b47a4951787d3e4694f098d76b8adcdaf014160db211daf8d58113c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a6c74a5874f2840495a83e6e440abc14e62c85ec111cc8a604f8ed9b988cf7b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD1C53090CA8D8FEBA8EF28D8557E977D1FF55340F04426EE84DC7292CB74A9458B82
                                                                                                                                                                                                                                          Function 00007FF848612FFA Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 895f17cd12ae9dd86d64d69840ca4f0e21f70bcb2cb140ed830918705e1f93cd
                                                                                                                                                                                                                                          • Instruction ID: 57cd57af9d57cb9691ab24fba88a68c65dd6c197691fd4ff165487dbcbc1c23d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 895f17cd12ae9dd86d64d69840ca4f0e21f70bcb2cb140ed830918705e1f93cd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3B1C62790D5A26BE341BBBCB8571ED7B90DF417BAF088177D2CC9D083EE58644A8394
                                                                                                                                                                                                                                          Function 00007FF848700004 Relevance: .4, Instructions: 354COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223742885.00007FF848700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848700000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848700000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bce05986592f5543bf1a9aa019951258f2ecf8b25ccdb187226ef9f6f910c0da
                                                                                                                                                                                                                                          • Instruction ID: baffc6ef9f45b163111bad7a2bffd413dc170d07fca9ef65783d96dc50863d87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bce05986592f5543bf1a9aa019951258f2ecf8b25ccdb187226ef9f6f910c0da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29A12631A4CB898FE759EB2C98645747BE1EF97760F1501FBD089C71A3EE18AC028749
                                                                                                                                                                                                                                          Function 00007FF84861C536 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0bfee439ab9a3a0746f441c61d53ab512fc267619f35011b91dce716c8c1fc5b
                                                                                                                                                                                                                                          • Instruction ID: 9ed66236d7b733896e61a1da5d1d7c62f74a041f1e292314cc22da04517d3bd1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0bfee439ab9a3a0746f441c61d53ab512fc267619f35011b91dce716c8c1fc5b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBB1A43090CA8D8FEBA9EF28C8557E93BD1EF55350F04426AE84DC7292CB749945CB86
                                                                                                                                                                                                                                          Function 00007FF84861D7BE Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1fabb30d7f33f0fb3609594922136d036d1fc65a578a5998d8fcd8147dbd40ba
                                                                                                                                                                                                                                          • Instruction ID: 34e22576c9cc556da7f2756d97b9e63968354e0552ae5d43e0fae7ee4e7d57c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fabb30d7f33f0fb3609594922136d036d1fc65a578a5998d8fcd8147dbd40ba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EB1A270A1895D8FDF94EF68C898BA9B7F1FF69301F1041A9D00DE7262DB74A985CB40
                                                                                                                                                                                                                                          Function 00007FF848613368 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eef1ff903f2ba2de1401bc91f83755b674c92b76c4ebef2ab59f2fcdf14810cf
                                                                                                                                                                                                                                          • Instruction ID: 97d0e9c6aefd11d2a3d3cf3d44223c9346772c156c2f9245a6b89da14c585b68
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eef1ff903f2ba2de1401bc91f83755b674c92b76c4ebef2ab59f2fcdf14810cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61A15A30A0CA5D8FEBA5EB6CD4487A9B3B1FF55340F5041B9C04EE7286CB79A985CB44
                                                                                                                                                                                                                                          Function 00007FF848611B2F Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 56821e39cabaf43820b83d0f03866624601909f8f4d2e2e0275a81b04b4399e1
                                                                                                                                                                                                                                          • Instruction ID: 20349633927397a85044348d8dca6b7f4886d1c32947e068bc62046c3e893af7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56821e39cabaf43820b83d0f03866624601909f8f4d2e2e0275a81b04b4399e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55913C30D0962D8FDBA5EE68C8887E8B3B1EF55741F5081B9D00D97296CB79AA85CF40
                                                                                                                                                                                                                                          Function 00007FF84861946C Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c19b1e357bb63779d8cfb9dafce8159a86727cf0a19c3516894c0873c46ebc14
                                                                                                                                                                                                                                          • Instruction ID: 92560327dfbdac8079ec3da5d381c4b61c9d9dc350606b78860d00ae3bf6e2b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c19b1e357bb63779d8cfb9dafce8159a86727cf0a19c3516894c0873c46ebc14
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54517331918A0C8FDB59EF58D845BE9BBF1FB59310F0082AAD04DD3256DF34A9858F81
                                                                                                                                                                                                                                          Function 00007FF84861E6D9 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3a52e625b1d040979765518d93452804f5aa28225a3ba7cd43f7ad77d84d53d5
                                                                                                                                                                                                                                          • Instruction ID: 5f9dec12b67db9753990c20c1d3980b672df1b89abe02d4a1c83c8a41fb97da3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a52e625b1d040979765518d93452804f5aa28225a3ba7cd43f7ad77d84d53d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F41F730D0851D9FDB89EF98D895AFEB7B1FF59300F14046AE00AE7292CB35A851CB54
                                                                                                                                                                                                                                          Function 00007FF8486163FB Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b769090e5fded9c35b0e5f64d5908fa960269dbba0716b0f694ce15704e0b671
                                                                                                                                                                                                                                          • Instruction ID: d4df3035d1b0f74c4840679448a4e1b7134f5aa534d096ca08b950de413d0206
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b769090e5fded9c35b0e5f64d5908fa960269dbba0716b0f694ce15704e0b671
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2931DD36A1CA8A8FEBC5FF6898991F977A0FF56394F0042B6E418C7193DB25AC01C744
                                                                                                                                                                                                                                          Function 00007FF848617A45 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 18e393af4382a2bd048eb9317b04a340c7331ef5fcf02e6afd0b4127859f3962
                                                                                                                                                                                                                                          • Instruction ID: dfbb04ee8ff47c739c6213538f95b2da0089799eded2fb4203254bff5aaefe8a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18e393af4382a2bd048eb9317b04a340c7331ef5fcf02e6afd0b4127859f3962
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82419E30E1894D9FEB81EFA8D4446EDB7B1FF59340F50017AD008DB296CB39A945CB50
                                                                                                                                                                                                                                          Function 00007FF84861D1F4 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f739d47add443b175aaf6e448c026aecef4ddd02df9ecd2f194a59f749653f23
                                                                                                                                                                                                                                          • Instruction ID: 60a6f6a0eb8d6e2b8d0ba47badb66c7b95ca356bc9ca87ff9f50a5b88c4835e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f739d47add443b175aaf6e448c026aecef4ddd02df9ecd2f194a59f749653f23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8831D330D1891DCFDB98EBA8D499AEDB7B1FF69341F500079D01DD7296DB39A8818B04
                                                                                                                                                                                                                                          Function 00007FF848617C51 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a5097b25cc82dd77912084f191eb2bc86b59ec8993f11d802fd347e1c1793afb
                                                                                                                                                                                                                                          • Instruction ID: 07574daafba6379732a7ac5fa84063e3f9defceaff8c5825a244606f23fe9453
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5097b25cc82dd77912084f191eb2bc86b59ec8993f11d802fd347e1c1793afb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3431AE71E18A4DCFEB81EF68D4446EDB7B1EF55740F404266D408DB296CB3AA944CB40
                                                                                                                                                                                                                                          Function 00007FF848614EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 94187b83ea251570ddbd56beda06c919aa3928764c80ced867dacc92cee1503c
                                                                                                                                                                                                                                          • Instruction ID: 485cbafc6f94592a4ddfc22d329db51f603917b2491ea426f50740f6546eeb25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94187b83ea251570ddbd56beda06c919aa3928764c80ced867dacc92cee1503c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1121F532A0DADD4FD746FF68A8751EA7BA1FF86321B0402B7E448C7293CE649805C795
                                                                                                                                                                                                                                          Function 00007FF8486149F1 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 087eb1fec54ecb457b55c2a05a7b5d3978e3ea62df70be0736b027ad4b499a84
                                                                                                                                                                                                                                          • Instruction ID: 9eaa3e989cdadb3464b97d60581847a18adc2be5991e9582b1fa5749c618b07d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 087eb1fec54ecb457b55c2a05a7b5d3978e3ea62df70be0736b027ad4b499a84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C31FA3060964D9FDB94EF68D455AE973A2FF99344FA18578D40DCB286CF3AE842CB04
                                                                                                                                                                                                                                          Function 00007FF848617DC1 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d313cf13adfbb99eb8996b8394ad031e2712fcc226bb3bcb2b55740b31cac3c3
                                                                                                                                                                                                                                          • Instruction ID: 3d65325fecb401d1adbf82f270a96555e94c50ad4cbec041aca57347aacd6b75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d313cf13adfbb99eb8996b8394ad031e2712fcc226bb3bcb2b55740b31cac3c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0212A70E18A5D9FEF90EBA8D4496EDBBF1FF58344F000476E008E7292DB34A8518B41
                                                                                                                                                                                                                                          Function 00007FF84861483D Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d7e1c8fe79e15a8a98ad45cbf7d0700ea651fabbac89419cb18a1420dd89119f
                                                                                                                                                                                                                                          • Instruction ID: 39c6319c0d68704302c91ebe2d17b30a7557d8e42b4db5da0597a9515dfd9dbb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7e1c8fe79e15a8a98ad45cbf7d0700ea651fabbac89419cb18a1420dd89119f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C110832D0D6C96FE750BF6CA8962F93B51EF41249F044176E58C8B0D3EF68A455C385
                                                                                                                                                                                                                                          Function 00007FF848613B7D Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 661f1c91df024cbe4d82c361eb04119b1aea56758730b4c2c6b5a023115c85dd
                                                                                                                                                                                                                                          • Instruction ID: c0d8bd841c0997af1d6672d1cbd3bd04dc82f5d82dc08914eda1c8f281efede6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 661f1c91df024cbe4d82c361eb04119b1aea56758730b4c2c6b5a023115c85dd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5117C31E0C6499FEB50EBA8C4456EEB7B1EF55341F0041B9D10AD72C2DB79A4848B45
                                                                                                                                                                                                                                          Function 00007FF84861D132 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0a7d2d03b8b1d433af2c29557519e80de2c85ea6e8ff451622f5ecf7d47605eb
                                                                                                                                                                                                                                          • Instruction ID: b43d33542f04716b018786382688ac863def7ad1dfd12c4641bd577deed4a7b4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a7d2d03b8b1d433af2c29557519e80de2c85ea6e8ff451622f5ecf7d47605eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9114071A1891DDFDF85EF98D485AECB7B1FF69341F540069E009E7252CB39A8818B44
                                                                                                                                                                                                                                          Function 00007FF8486179CC Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 72eeb794b4c8d990a6daa853561a16320a48996c64bf3337fde3ace569306085
                                                                                                                                                                                                                                          • Instruction ID: 8213cba79214611a5d4adb74abc3afe1ff51628916c6a22fc7f3ee37fce5aa56
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72eeb794b4c8d990a6daa853561a16320a48996c64bf3337fde3ace569306085
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F018B31E1984E5FFB84FBAC94199EDB766EF84381F500276D408DB18FEE6A28864700
                                                                                                                                                                                                                                          Function 00007FF848616E93 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 039962c945a53ad2a52a65c2483933fd65983eb2f8034bd6be28a5924c5985eb
                                                                                                                                                                                                                                          • Instruction ID: 27129c21cac229132fabf50ce497ebee2a65a1d90fa947329f0a6a97ce8a9a90
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 039962c945a53ad2a52a65c2483933fd65983eb2f8034bd6be28a5924c5985eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D09002058CE46E05D484309539460D471448745561FC72461EC0C44147998E1ED60189

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 00007FF848616058 Relevance: 11.7, Strings: 9, Instructions: 438COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /oH$@0oH$H.oH$h/oH$p-oH$x,oH$M_I$M_^$M_^
                                                                                                                                                                                                                                          • API String ID: 0-2161063304
                                                                                                                                                                                                                                          • Opcode ID: 921c5d9a3e1ca4d0bfa4abcd02b3d9db4f498627c076a57569c09482d3aec450
                                                                                                                                                                                                                                          • Instruction ID: a09dc82c40cf3f892e71b03c52ffd67769f2ab4f6be4639730d506e5de76e806
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 921c5d9a3e1ca4d0bfa4abcd02b3d9db4f498627c076a57569c09482d3aec450
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FC13E1BF0E4961FE2917B6CB85B0F97750DF81677B0883B7C2CC8A197EE18684A45C9
                                                                                                                                                                                                                                          Function 00007FF848616050 Relevance: 11.7, Strings: 9, Instructions: 434COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /oH$@0oH$H.oH$h/oH$p-oH$x,oH$M_I$M_^$M_^
                                                                                                                                                                                                                                          • API String ID: 0-2161063304
                                                                                                                                                                                                                                          • Opcode ID: 2d08f5c9887acc21ca543ab8a5ffb543e310dd4b63ae5ba604c7eacb7d445478
                                                                                                                                                                                                                                          • Instruction ID: c06c12cdeba089dcc9c1975693ce82beb60602100484f45ec6a6bf8eca86bd74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d08f5c9887acc21ca543ab8a5ffb543e310dd4b63ae5ba604c7eacb7d445478
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BC13D1BF0E5961FE251BB6CB85B0F97750DF81277B0883B7C1CC8A197EE18A84A85C5
                                                                                                                                                                                                                                          Function 00007FF848616080 Relevance: 11.7, Strings: 9, Instructions: 409COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /oH$@0oH$H.oH$h/oH$p-oH$x,oH$M_I$M_^$M_^
                                                                                                                                                                                                                                          • API String ID: 0-2161063304
                                                                                                                                                                                                                                          • Opcode ID: 091e320f3be32a4eb51fa74e32b825d20ddb5fd035baa9aabff1aef56b62d3af
                                                                                                                                                                                                                                          • Instruction ID: 6ad53b350918c3b85244885907bf7bc1f64c26773ca3de83df91cdb4ca0e29c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 091e320f3be32a4eb51fa74e32b825d20ddb5fd035baa9aabff1aef56b62d3af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27B12E1BF0E5961FE2917B6CB85B0F87750EF81677B0883B7C18C8A197EE18684545C9
                                                                                                                                                                                                                                          Function 00007FF848616110 Relevance: 10.3, Strings: 8, Instructions: 338COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /oH$@0oH$H.oH$h/oH$p-oH$x,oH$M_I$M_^
                                                                                                                                                                                                                                          • API String ID: 0-1918715597
                                                                                                                                                                                                                                          • Opcode ID: d0bbd27376a84a0300b2c8e3b824ea287aac234bc68f26e9ff3622d2be70e157
                                                                                                                                                                                                                                          • Instruction ID: b21dcf4af698244a47e8cfd6812eee52fbea901c4b333a3792381d5aaf96e4e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0bbd27376a84a0300b2c8e3b824ea287aac234bc68f26e9ff3622d2be70e157
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E913F17F0E4961FE291BB7CBC5B1F97B50EF81672B1843B7C18C8A197EE18A80585C5
                                                                                                                                                                                                                                          Function 00007FF848616E38 Relevance: 7.6, Strings: 6, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /oH$@0oH$X"oH$`-oH$h/oH$p-oH
                                                                                                                                                                                                                                          • API String ID: 0-1241350843
                                                                                                                                                                                                                                          • Opcode ID: 7da35c937f65f5270e39cbf0b2064b4fcbab0aa324c2cbb66ed84a7fc3a1b34e
                                                                                                                                                                                                                                          • Instruction ID: 98329da9a9bea654eb928f71ea5bfd309a90ce88afe946c8ff9e8d2ea5d30114
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7da35c937f65f5270e39cbf0b2064b4fcbab0aa324c2cbb66ed84a7fc3a1b34e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2115967C0E9C64FE3D4DEA8280D0787B91FF42651F0902F6C048871DFEE189C054B45
                                                                                                                                                                                                                                          Function 00007FF848616EA1 Relevance: 6.3, Strings: 5, Instructions: 86COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0,oH$`-oH$p-oH$x,oH$+oH
                                                                                                                                                                                                                                          • API String ID: 0-4197147869
                                                                                                                                                                                                                                          • Opcode ID: 42cdd4f907f87ff721fd3eeabb61a62927838cdb34aa43192484d780f5f88ae4
                                                                                                                                                                                                                                          • Instruction ID: 60782f16b70d448b45109d6f41cef32c7bf35840212763c5459a52b15682f3c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42cdd4f907f87ff721fd3eeabb61a62927838cdb34aa43192484d780f5f88ae4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B210552D0E9C24FE3C68FA828191743FB1FF42641B5A42F7D044872DFAE18DD098B44
                                                                                                                                                                                                                                          Function 00007FF848616F68 Relevance: 5.3, Strings: 4, Instructions: 315COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2223219410.00007FF848610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ff848610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /oH$@0oH$H.oH$h/oH
                                                                                                                                                                                                                                          • API String ID: 0-4292791134
                                                                                                                                                                                                                                          • Opcode ID: 62353cfba0a445da904f0fbe94b95074715143370888cf95e900e59a3a8f4a09
                                                                                                                                                                                                                                          • Instruction ID: 8c91233439f55e0999351d0866929da673bd91a6e50c726916d8c2011e4826f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62353cfba0a445da904f0fbe94b95074715143370888cf95e900e59a3a8f4a09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD914772E0DA894FD798EB6C58192B9BBE1EF55751F0442BFD04DC329BDE24AC068780

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FF848620D42 Relevance: 2.8, Strings: 2, Instructions: 303COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: wQH$hxQH
                                                                                                                                                                                                                                          • API String ID: 0-4015173361
                                                                                                                                                                                                                                          • Opcode ID: 7ff3bc476c2dfb44637d770362fa5d1d81909bb5766a7576677d6cdedab8ea42
                                                                                                                                                                                                                                          • Instruction ID: 9e589d018e557ed950b61de8148f1447299cd402940c69b032bbf1a8e4749900
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ff3bc476c2dfb44637d770362fa5d1d81909bb5766a7576677d6cdedab8ea42
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAB1793090961A8FDB99EF28C8987A9B7B2FF49300F5045FDD00E97295CB396985CB14
                                                                                                                                                                                                                                          Function 00007FF84883DEDA Relevance: 1.4, Instructions: 1448COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a9be43cb3e981bfff56ec570a29ca30947522593ffde26f79f03be3bb1791108
                                                                                                                                                                                                                                          • Instruction ID: 740aa42fcb9ed0c9869340946027d59f79b7b2089ea3235b4807d1cfd8c7e4ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9be43cb3e981bfff56ec570a29ca30947522593ffde26f79f03be3bb1791108
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05A28131B1CA4A8FEB94EB2CC459B7977D1FF98340F0441BAD04EC72A6DE29AC468745
                                                                                                                                                                                                                                          Function 00007FF848631CF0 Relevance: .7, Instructions: 665COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f26722ec16b2714200353c23b120a64edee08425e852e03d2fca0aada680dfe
                                                                                                                                                                                                                                          • Instruction ID: 66fea2df2e12ee576c857fd5d8db37c870c68b48555d87b2015b6b3d30a1c2ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f26722ec16b2714200353c23b120a64edee08425e852e03d2fca0aada680dfe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A522F830A1CB854FD399EB28C495676BBE1FF95340F04457ED48AC3296DF28E846CB82
                                                                                                                                                                                                                                          Function 00007FF848624E6B Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3f19eee359ee95cceaf42b67b5f5cfc7c79793a5023b2ae741cdd034ff968bdf
                                                                                                                                                                                                                                          • Instruction ID: 6803f36f956d43c9543614ebf65a300094cc1d109452765781a650833e4a127b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f19eee359ee95cceaf42b67b5f5cfc7c79793a5023b2ae741cdd034ff968bdf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96419B30D0E65A8FDB99FF6888592EDBBF1EF46350F4401B9C408A72E2DB385885CB55
                                                                                                                                                                                                                                          Function 00007FF8486334D2 Relevance: 12.8, Strings: 10, Instructions: 271COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $tH$8 tH$8urH$@ tH$H tH$P tH$X tH$` tH$h tH$"tH
                                                                                                                                                                                                                                          • API String ID: 0-3534631612
                                                                                                                                                                                                                                          • Opcode ID: d373a1d6a137134b726ff37b189293f5abf9abc010c860b4ddea4e9d58b40920
                                                                                                                                                                                                                                          • Instruction ID: 1e4710d7bf6d5b91bf7e01b361a2cda6dbcec901d2d541a3ac63a3258a634e0c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d373a1d6a137134b726ff37b189293f5abf9abc010c860b4ddea4e9d58b40920
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C291E621E0DACA4FE796EF6CB8291B87BA0FF56750F0901FBD048871A7DB285806C345
                                                                                                                                                                                                                                          Function 00007FF8486333F8 Relevance: 10.6, Strings: 8, Instructions: 571COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $tH$8urH$H tH$P tH$X tH$` tH$h tH$"tH
                                                                                                                                                                                                                                          • API String ID: 0-3369442713
                                                                                                                                                                                                                                          • Opcode ID: 3fe43721426c0fb4305f7c60edde9c5f661c1d0146729dfd76de265eae151346
                                                                                                                                                                                                                                          • Instruction ID: 99c6e3582136a407677be73c19e0651fc991f9779c9ac1cb989e08d15867e077
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fe43721426c0fb4305f7c60edde9c5f661c1d0146729dfd76de265eae151346
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D020821E0DA8A4FE7D5EB6CA8695B47BE0FF55364F0801B7D048CB1A7DE28AC468344
                                                                                                                                                                                                                                          Function 00007FF84862D320 Relevance: 8.1, Strings: 6, Instructions: 608COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0PqH$0\qH$8cqH$PPqH$PPqH$`CqH
                                                                                                                                                                                                                                          • API String ID: 0-2921687286
                                                                                                                                                                                                                                          • Opcode ID: e378604b43e0fa2e7649929dff1618335c410f9e5d5ea57dd4e29d93b627a0f0
                                                                                                                                                                                                                                          • Instruction ID: d35f4cf9d23255107b181f9f776dbd9c3433320302b6777ec7e7e28b420a8448
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e378604b43e0fa2e7649929dff1618335c410f9e5d5ea57dd4e29d93b627a0f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC12D031E0CA4E9FE794FB68985A6FCBBA1FF95350F1401BAD04DC72C2DE2868428755
                                                                                                                                                                                                                                          Function 00007FF8488335E0 Relevance: 7.8, Strings: 6, Instructions: 288COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: RH$(RH$0RH$8RH$8RH$@RH
                                                                                                                                                                                                                                          • API String ID: 0-2666620795
                                                                                                                                                                                                                                          • Opcode ID: 5db273dc3c854795702d4948e6fb74f627418d5c729fb1187a2cb803ba0f561d
                                                                                                                                                                                                                                          • Instruction ID: 0df377eb75a8976b86d45a3aa5f8458ee49c00df1264873fbe1d50698d025862
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5db273dc3c854795702d4948e6fb74f627418d5c729fb1187a2cb803ba0f561d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4191E331A0DA4A8FEB95EB2C98547A977E2FF99350F1401FAC04DC7296DF299C42C740
                                                                                                                                                                                                                                          Function 00007FF84862D469 Relevance: 5.4, Strings: 4, Instructions: 414COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0PqH$0\qH$PPqH$PPqH
                                                                                                                                                                                                                                          • API String ID: 0-966855481
                                                                                                                                                                                                                                          • Opcode ID: e99ab7cc75a9135451692b0424bc2ce994a4f9f188bd90ebf36b64150348638e
                                                                                                                                                                                                                                          • Instruction ID: 1dfeab1263e891b303089262dda6b0ee624ff3a7ea380c5860b2acfa1b293eca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e99ab7cc75a9135451692b0424bc2ce994a4f9f188bd90ebf36b64150348638e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66D1B131E0CA4E9FE784FB68D8696ACBBA1FF55750F1401BAD009C72D2DF2868428B55
                                                                                                                                                                                                                                          Function 00007FF848830468 Relevance: 4.8, Strings: 3, Instructions: 1077COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: hRH$pRH$xRH
                                                                                                                                                                                                                                          • API String ID: 0-3471513998
                                                                                                                                                                                                                                          • Opcode ID: cf9e1d8368b1da964571aec484f35b3892e65af6a0a36435ae4b79621998cd7c
                                                                                                                                                                                                                                          • Instruction ID: 9cf3a91562284dd7452f2e63b612a5c97a77dcc23c80557b3cfec37e11ce468d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf9e1d8368b1da964571aec484f35b3892e65af6a0a36435ae4b79621998cd7c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6672E531A1DB8A9FE798FB28844566AB7E1FF58340F1405BED44AC72A2DF39E841C741
                                                                                                                                                                                                                                          Function 00007FF84863CB18 Relevance: 4.1, Strings: 3, Instructions: 345COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8FtH$8K_H$XKtH
                                                                                                                                                                                                                                          • API String ID: 0-4224096366
                                                                                                                                                                                                                                          • Opcode ID: c39e646dbd575f7771792444644ccca32b4c28cb8a92861e6977a921f90c2bdf
                                                                                                                                                                                                                                          • Instruction ID: 41614bcdf6eff1ce7dc8663dca475b6c2682a5fa43644ed303091a9c29d93d8b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c39e646dbd575f7771792444644ccca32b4c28cb8a92861e6977a921f90c2bdf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AA10431D1EACA4FE7D6AB3858292B97BE0EF86690F4901FBC049C75D3DE1C580A8351
                                                                                                                                                                                                                                          Function 00007FF84862AAE8 Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: oH$XoH
                                                                                                                                                                                                                                          • API String ID: 0-730646097
                                                                                                                                                                                                                                          • Opcode ID: 6b80f334419b56922b0062ac463ae65085b5a416ed82b1c352bdfc585cd3a7c3
                                                                                                                                                                                                                                          • Instruction ID: 9f9c083580d39213621ce83ca0ae990ded71b154e15e7694d4d194ccd7451f8f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b80f334419b56922b0062ac463ae65085b5a416ed82b1c352bdfc585cd3a7c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6C1F321A0DA8A8FEBDAFB2C545D67877D1EF59750F4800FAD44DCB2A3DE18AC058345
                                                                                                                                                                                                                                          Function 00007FF848835366 Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x^}H$x^}H
                                                                                                                                                                                                                                          • API String ID: 0-2635358569
                                                                                                                                                                                                                                          • Opcode ID: f425a9d57b061ab247ca3156b906ab23596764056846a3c6a509a9cf23a70508
                                                                                                                                                                                                                                          • Instruction ID: aca5d99365f43ecc6e5b592685531062be736665d6b7505a2b0cfab8bd53c858
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f425a9d57b061ab247ca3156b906ab23596764056846a3c6a509a9cf23a70508
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F91A361F1CD475FEBACAA2C945557973D2FFA8780B5001BAD00EC72C6EE29FC068684
                                                                                                                                                                                                                                          Function 00007FF84883CAB6 Relevance: 2.8, Strings: 2, Instructions: 291COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: TyH$TyH
                                                                                                                                                                                                                                          • API String ID: 0-1314857760
                                                                                                                                                                                                                                          • Opcode ID: 440064cd49ee9b024f9e696fc45336d1e5da551701ca2347bc8851d49c23ee45
                                                                                                                                                                                                                                          • Instruction ID: f1a09fa10fd52b05128db5a9500cb6ab6d1fde77411d9649aa916c806fb7d6ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 440064cd49ee9b024f9e696fc45336d1e5da551701ca2347bc8851d49c23ee45
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C814831A0CB454FD7A4AB2898556757BD2EFA9350F0401BFE48DC7193DF2AAC46C386
                                                                                                                                                                                                                                          Function 00007FF848637146 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: @6tH$@6tH
                                                                                                                                                                                                                                          • API String ID: 0-1022495969
                                                                                                                                                                                                                                          • Opcode ID: 08160f266afedc8c0dae7be11dfa3290af1fdc2f52c5fd907bfc79f352a4e049
                                                                                                                                                                                                                                          • Instruction ID: 5ec7c83444dbc8a927d6bc19d73e5107c680942a50e19eaff82a6115db9602d8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08160f266afedc8c0dae7be11dfa3290af1fdc2f52c5fd907bfc79f352a4e049
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9391F87090CB898FE798EF288459676B7E2FFA5340F1445BED48DC7292DF34A8418746
                                                                                                                                                                                                                                          Function 00007FF848636E70 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: @6tH$DtH
                                                                                                                                                                                                                                          • API String ID: 0-1790835947
                                                                                                                                                                                                                                          • Opcode ID: 2020f239c29f31eba23f16c4823e8cd906e2779c65fdcc05b807a44f297988e8
                                                                                                                                                                                                                                          • Instruction ID: 671b86ab17d81df25ec339d701ec021a4f80ceecba876070d69d9545162da5d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2020f239c29f31eba23f16c4823e8cd906e2779c65fdcc05b807a44f297988e8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5131E33290CB864FD784EB3CC85D665B7E1FFA5350F0406BED089C72A2DE28A8458746
                                                                                                                                                                                                                                          Function 00007FF84863532A Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (4cH$@@cH
                                                                                                                                                                                                                                          • API String ID: 0-1860835860
                                                                                                                                                                                                                                          • Opcode ID: baff5c05c1be23af7b4a698b4b64972b26c2b56decb30d3de4c7e2c6f4946ff6
                                                                                                                                                                                                                                          • Instruction ID: b04618eed21d2d20f8b2fdcb4808335c07fbdb258595c7868e441c9e96ab619f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: baff5c05c1be23af7b4a698b4b64972b26c2b56decb30d3de4c7e2c6f4946ff6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1116162F0DE5B8FFAE8E91CA46C27563D2EBA8691B14457FC00DC7185EE24EC0A8744
                                                                                                                                                                                                                                          Function 00007FF848640A30 Relevance: 2.0, Strings: 1, Instructions: 761COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8K_^
                                                                                                                                                                                                                                          • API String ID: 0-3655618587
                                                                                                                                                                                                                                          • Opcode ID: d38e42296c8d861d2d43149ca6ffe554edb86fcba2cd0ad7531f05e043f306c9
                                                                                                                                                                                                                                          • Instruction ID: b1030e02f81f3afa2e643d80abd6223605d7fc893e7d944f12e3fec4cd90a1c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d38e42296c8d861d2d43149ca6ffe554edb86fcba2cd0ad7531f05e043f306c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3222D33D0D6A68FF7D5762C68A91ED3B91EF52A94F0901B7C048CB093DF19680A875E
                                                                                                                                                                                                                                          Function 00007FF84863C500 Relevance: 1.8, Strings: 1, Instructions: 521COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0\qH
                                                                                                                                                                                                                                          • API String ID: 0-4209668476
                                                                                                                                                                                                                                          • Opcode ID: 69c828c62d4733dca0ddf3c8e1457184d349c6e87002079ed32dd1a169b65867
                                                                                                                                                                                                                                          • Instruction ID: 2c3f5d198d657779bbe0d3259123242f4e1037b639cf201bb18824564acad63c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69c828c62d4733dca0ddf3c8e1457184d349c6e87002079ed32dd1a169b65867
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3E16832A0DA565FD794BB6CE8496E877D0EF85361B0401BBD089CB193DB18B886C389
                                                                                                                                                                                                                                          Function 00007FF8488366C0 Relevance: 1.8, Strings: 1, Instructions: 509COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ;9_L
                                                                                                                                                                                                                                          • API String ID: 0-1872573059
                                                                                                                                                                                                                                          • Opcode ID: 696603712ec387a8518102cb3e52657e7242940719d7db295bd877c0221d9e9a
                                                                                                                                                                                                                                          • Instruction ID: cb9383bd7bc1dfd4f9e2ec2c356ffbd431fd50ff3fe548c5d2561ebd6fd48a77
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 696603712ec387a8518102cb3e52657e7242940719d7db295bd877c0221d9e9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36D1F622F1DD5B5FEBE9FA2C64552BA23D1EF9C790B0441BBD40DC3286EE19AC425384
                                                                                                                                                                                                                                          Function 00007FF8486271FB Relevance: 1.8, Strings: 1, Instructions: 503COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: >mH
                                                                                                                                                                                                                                          • API String ID: 0-131556592
                                                                                                                                                                                                                                          • Opcode ID: 4d15d582e2bbdccf5071abf24f78183c0033e53e51ecbd8a41135a37c1e4870a
                                                                                                                                                                                                                                          • Instruction ID: a1440f751ed88121b98066f3076bedbad5f65c69f5c3071406cfe259aa22c491
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d15d582e2bbdccf5071abf24f78183c0033e53e51ecbd8a41135a37c1e4870a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F02CC30D0DA5A8FEB95EB68C859AADBBF1FF55340F0441FAD009D7292DB386885CB44
                                                                                                                                                                                                                                          Function 00007FF8486343F7 Relevance: 1.7, Strings: 1, Instructions: 459COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 7af8b3b435eba13b2e601fef9b9f9aac7b50387e534c1c8cb8cc13c2321b6d23
                                                                                                                                                                                                                                          • Instruction ID: a00364e91e4397a3e634e2bcfd49d6c4881dc4ae5cf86398d4e70ed5b9fac017
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7af8b3b435eba13b2e601fef9b9f9aac7b50387e534c1c8cb8cc13c2321b6d23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74E10230A1CB498FE7A9EB5C8448675B7E1FFA5340F1405BED44AC7292DE39E8428785
                                                                                                                                                                                                                                          Function 00007FF84862D9E9 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: h"rH
                                                                                                                                                                                                                                          • API String ID: 0-2165391528
                                                                                                                                                                                                                                          • Opcode ID: 2afb1f5872b58e21d6ed5ee58568c036bec7e2a8939b81a9412106da38db7136
                                                                                                                                                                                                                                          • Instruction ID: 74019bf92120ba2f0af069e76374548174fff5d17a9d9f98af88add14e23df7e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2afb1f5872b58e21d6ed5ee58568c036bec7e2a8939b81a9412106da38db7136
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62D1153160CB4D8FDB94FA18D4596A5B7E1FBA5390F0402BED04DC7292DE66E846C782
                                                                                                                                                                                                                                          Function 00007FF8488373FD Relevance: 1.7, Strings: 1, Instructions: 436COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: *9_H
                                                                                                                                                                                                                                          • API String ID: 0-2153104992
                                                                                                                                                                                                                                          • Opcode ID: e4cc3ed08ad364a77afca5b2a24648bf058067b47ae94c59f06e181db0d7ccf1
                                                                                                                                                                                                                                          • Instruction ID: fd21634178525cf9737ba77ac1566f8f368b93efdf63e2b54bec2fe7c31614f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4cc3ed08ad364a77afca5b2a24648bf058067b47ae94c59f06e181db0d7ccf1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67C12531B1DA8A5FE799BB2894595B977D1FF98340F0401BEE049C7296EF29EC068344
                                                                                                                                                                                                                                          Function 00007FF848633B28 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 4920628768102b075428df9079f2383200d57e28a0c191a3a7da9533cd430b7b
                                                                                                                                                                                                                                          • Instruction ID: 301bb684c6759f5afbb7279692403b0d1d2cb9a3a08b40e2a27d3053cbb1ba43
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4920628768102b075428df9079f2383200d57e28a0c191a3a7da9533cd430b7b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39D10E30A0CB454FD3A8EB5CA4855BAB3E0FFA5354F14467ED48AC7292DE35F8428B85
                                                                                                                                                                                                                                          Function 00007FF848833E87 Relevance: 1.6, Strings: 1, Instructions: 355COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HRH
                                                                                                                                                                                                                                          • API String ID: 0-2197412972
                                                                                                                                                                                                                                          • Opcode ID: 635e5fcea87e774a55cbd68cda71d1bf29ce4acd17e09334253f712357718088
                                                                                                                                                                                                                                          • Instruction ID: b78aae61e00b4d98fdfd3f66276a11d22913e884b467ca498fa5c54fe8bffd1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 635e5fcea87e774a55cbd68cda71d1bf29ce4acd17e09334253f712357718088
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFB11971E0DA8B9FE755EA7C98545B97BE0FF69350F0801BBC049C7196DF2A9C068740
                                                                                                                                                                                                                                          Function 00007FF848624B1D Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: H0mH
                                                                                                                                                                                                                                          • API String ID: 0-4091254294
                                                                                                                                                                                                                                          • Opcode ID: 1e666263edda0d3fdda42b73d8a70192c188149deba6ad592ec0e4f5bbe21a0c
                                                                                                                                                                                                                                          • Instruction ID: c6c3403b19b871a34e7259658a80adaa3d76a54c4364c136fb2c1e5cab99cca1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e666263edda0d3fdda42b73d8a70192c188149deba6ad592ec0e4f5bbe21a0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36B1FE3190EA8A8FEB95FB2898592E97BF1FF06350F4402FAD449CB1A2DB785C45C701
                                                                                                                                                                                                                                          Function 00007FF848839C2D Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: RH
                                                                                                                                                                                                                                          • API String ID: 0-3594678996
                                                                                                                                                                                                                                          • Opcode ID: 91b22abbedcbb1ae34bb109201c9a4305a6474555e4918adcb64ba1afb6495b3
                                                                                                                                                                                                                                          • Instruction ID: fc80677f2e9da843a1279098344666a3479fa8c06fa6220bacb9591c92ee4a02
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91b22abbedcbb1ae34bb109201c9a4305a6474555e4918adcb64ba1afb6495b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76A14731A0C6834FE75AA73888951B87BD1EF8B350F1441BFC48ACB9D7DF2968868345
                                                                                                                                                                                                                                          Function 00007FF848633BA8 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: d429b818081babd13a7c93f9d79a5f49d56ddb3fb0dd7a035fa8ee352b79859d
                                                                                                                                                                                                                                          • Instruction ID: caae54d6bbf853d3b4baab4500dc9391701f62c2031c1eef6bd299390d3cbb93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d429b818081babd13a7c93f9d79a5f49d56ddb3fb0dd7a035fa8ee352b79859d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59910D30A1CB498FD7A8EA4CD449536B3E1FBA9350F10467ED48AC7296DB35F8428B85
                                                                                                                                                                                                                                          Function 00007FF848635B80 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: K_H
                                                                                                                                                                                                                                          • API String ID: 0-313846638
                                                                                                                                                                                                                                          • Opcode ID: 84cd94f1717d387c855ad8f93a66a4e16a0e0a02486eedfb428e306ecf3d2169
                                                                                                                                                                                                                                          • Instruction ID: 5fe48356ad2862e5085813e0c343197fbda33e377c1c8405c426326fa42ecba2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84cd94f1717d387c855ad8f93a66a4e16a0e0a02486eedfb428e306ecf3d2169
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D712322F1DD5A8FF6E5A62C246C27563C2EFA8AD1F6001BBC44DC72D5EE189C064299
                                                                                                                                                                                                                                          Function 00007FF8488314F0 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: x^}H
                                                                                                                                                                                                                                          • API String ID: 0-192649932
                                                                                                                                                                                                                                          • Opcode ID: 1085bc30c3e29ad3c700bbdff40a34dfc505ff934614104c5e70d0e49b9baa56
                                                                                                                                                                                                                                          • Instruction ID: 77da98df7bddfb39b43ace35453a6c5db4829ba18f1d687dcebd3fffe054a1a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1085bc30c3e29ad3c700bbdff40a34dfc505ff934614104c5e70d0e49b9baa56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2811431F0DE4A5FEB58AB28945A5B973D2FF98350F5401BED00EC7196EE29BC068384
                                                                                                                                                                                                                                          Function 00007FF848639C30 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0\qH
                                                                                                                                                                                                                                          • API String ID: 0-4209668476
                                                                                                                                                                                                                                          • Opcode ID: 765faa6001a343698ba4686ee49a4716f4da89321b606f65ea56a3560d76a744
                                                                                                                                                                                                                                          • Instruction ID: 06cb58678b8eefe5e027ba54ed460fb3551984d7a31f3c77b8659971dda6a107
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 765faa6001a343698ba4686ee49a4716f4da89321b606f65ea56a3560d76a744
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F171C630A1DA468FEBAAAF2C845D27577D1FF5A350F5404BFD04EC3A92DE28A8418B45
                                                                                                                                                                                                                                          Function 00007FF848837108 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: PyH
                                                                                                                                                                                                                                          • API String ID: 0-430293448
                                                                                                                                                                                                                                          • Opcode ID: 212558ea1e28e323612b92de3c4de6ac73cf3b13bffdab3177aa8ef999405320
                                                                                                                                                                                                                                          • Instruction ID: 57715b1d5a92a5d74c4ce5b59d5563879fca63d394a5abb1f96023223a29e6bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 212558ea1e28e323612b92de3c4de6ac73cf3b13bffdab3177aa8ef999405320
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B613A3261DA4A5FD75CEB28D4459B6B7E0FF55350B0046BED04EC7692DA29FC42C780
                                                                                                                                                                                                                                          Function 00007FF8488415BB Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: .+_^
                                                                                                                                                                                                                                          • API String ID: 0-3829502840
                                                                                                                                                                                                                                          • Opcode ID: 05189877f0b0ab7c552e62d1eead3233388fd296dfd8d0742d1f6391436b2dd2
                                                                                                                                                                                                                                          • Instruction ID: c918fdfec2f47299321ff90d4a216805cd74f00d5e207485d1ad4069b7ed52e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05189877f0b0ab7c552e62d1eead3233388fd296dfd8d0742d1f6391436b2dd2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C514433A0DA565FE755BA2C68561F93BE1EF816A0F0841BBC14CC7297FF24A8064389
                                                                                                                                                                                                                                          Function 00007FF848628D32 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0pmH
                                                                                                                                                                                                                                          • API String ID: 0-768250789
                                                                                                                                                                                                                                          • Opcode ID: 9815dc52224f56dca98943c8e1898340391ae9e4582df36c9da7ea502de4718d
                                                                                                                                                                                                                                          • Instruction ID: 5dfd6617d21fa55597154bd5a307e2db721739ff5286c285649fcfa103f6ddec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9815dc52224f56dca98943c8e1898340391ae9e4582df36c9da7ea502de4718d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A71CD70D0D69D8FDB85EBA8C859AE9BBF1FF5A350F1001AED049D7292CB385881CB10
                                                                                                                                                                                                                                          Function 00007FF84862813C Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                          • API String ID: 0-3081909835
                                                                                                                                                                                                                                          • Opcode ID: 443f376a1bb866490b8f7e282093cc1ae4e7e4d50bdb035057e7aa217f4debc5
                                                                                                                                                                                                                                          • Instruction ID: e910e217efca2a82689016cf37c2014de1d584bf6e8c0c3a2dce778c253405cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 443f376a1bb866490b8f7e282093cc1ae4e7e4d50bdb035057e7aa217f4debc5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8816970C0D65E8FDB94EBA8C8597EDBBB0EF19361F5001BED049A7292DB385985CB04
                                                                                                                                                                                                                                          Function 00007FF84862E928 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LtH
                                                                                                                                                                                                                                          • API String ID: 0-1636499586
                                                                                                                                                                                                                                          • Opcode ID: af0cdabb16722f341af34140bd95d1489708c2d3b4a664806fb03e6499451819
                                                                                                                                                                                                                                          • Instruction ID: 49e82ef84defd6137ce85fb9bd307e7f84531b6014b223651adb15898f6bc6bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af0cdabb16722f341af34140bd95d1489708c2d3b4a664806fb03e6499451819
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D510721E0EA8A4FE795AB3C98192B93FF1EF56690F4840FBD049CB197DE1C5C4A8341
                                                                                                                                                                                                                                          Function 00007FF84862E648 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HBrH
                                                                                                                                                                                                                                          • API String ID: 0-1777607862
                                                                                                                                                                                                                                          • Opcode ID: 1054a7edc4e0a13b1319798c7476b559c6f64e6a309bb47dc77e7e4c639c53d1
                                                                                                                                                                                                                                          • Instruction ID: 3b88f45933dce173ee741be143b4c4a63fdadf9cc4dcd7154d769adf6fc24af2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1054a7edc4e0a13b1319798c7476b559c6f64e6a309bb47dc77e7e4c639c53d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A651E23061CA0A4FD798AA18D888A7173E0FF99350F14067ED44EC7252DF39F8878745
                                                                                                                                                                                                                                          Function 00007FF84862512C Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HAQH
                                                                                                                                                                                                                                          • API String ID: 0-3575377294
                                                                                                                                                                                                                                          • Opcode ID: a57b30404e1d448ea80f774517b264a972e7b87aff8d21fe293647e43564b722
                                                                                                                                                                                                                                          • Instruction ID: 7cf8e59afbb598d7cd3f7edfbd6e3fb090a4fbe27a98c557cabb20ce1a57115f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a57b30404e1d448ea80f774517b264a972e7b87aff8d21fe293647e43564b722
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3451227184E68D9FDB96EB74C86A6E97FF1FF52320F0401EBD008D7592CA285886C791
                                                                                                                                                                                                                                          Function 00007FF848623CAD Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HAQH
                                                                                                                                                                                                                                          • API String ID: 0-3575377294
                                                                                                                                                                                                                                          • Opcode ID: 43a8b525171d7b7453e4c60453fd2b106a5d7d493cd412a6c9d690a339b4603c
                                                                                                                                                                                                                                          • Instruction ID: 5681684d65613c849428071cce4840a8e61bb26b0277464bf341cfb7a55707a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43a8b525171d7b7453e4c60453fd2b106a5d7d493cd412a6c9d690a339b4603c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB515430D18A0D8FDB94FBACD8496EDBBB1FB49340F50027AE409A7291CB3868458B45
                                                                                                                                                                                                                                          Function 00007FF848634C00 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HbH
                                                                                                                                                                                                                                          • API String ID: 0-1595312804
                                                                                                                                                                                                                                          • Opcode ID: c4b6ae819ee828ca6076daf53c0590f0e6e39cb17c6c6da503526c5d06c18599
                                                                                                                                                                                                                                          • Instruction ID: 4d1786895f0744c8501a63014fd943eed582aeb1a83bbfa667aca6ff4aa2a524
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4b6ae819ee828ca6076daf53c0590f0e6e39cb17c6c6da503526c5d06c18599
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7941B221E1DD4A4FE6E9F76C9459779A7D1EFA8380F0841BBD44EC7296DE18AC028384
                                                                                                                                                                                                                                          Function 00007FF84862AE30 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: oH
                                                                                                                                                                                                                                          • API String ID: 0-4157213197
                                                                                                                                                                                                                                          • Opcode ID: f7950d98a09756d199d2e2cee399ba1941759275b9e1e81c0dff622cb1c11057
                                                                                                                                                                                                                                          • Instruction ID: 39079c8865b670f61334c40ff557f6ca28347735dc0a193050d8cbb88a3f24db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7950d98a09756d199d2e2cee399ba1941759275b9e1e81c0dff622cb1c11057
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B41B121E1CD4A4FE7D8FB2CA45967A73D2FF98351B0442BAD04DC7286EE68E8428745
                                                                                                                                                                                                                                          Function 00007FF848840945 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                          • API String ID: 0-2852464175
                                                                                                                                                                                                                                          • Opcode ID: 848c2183189b3ee7651f615bae838e5931d447e1852dc96d218cd56c51f8ce52
                                                                                                                                                                                                                                          • Instruction ID: 8f40dc7812f814f106c7ac6213d5b07f0da5548dbc557d3ca234e1bff958e78f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 848c2183189b3ee7651f615bae838e5931d447e1852dc96d218cd56c51f8ce52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A310412F0CA8A4FFBE4B66C54142762BD1EBA5B94F1401BAC08EC7383EA1DAC464349
                                                                                                                                                                                                                                          Function 00007FF8488376F5 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: *9_H
                                                                                                                                                                                                                                          • API String ID: 0-2153104992
                                                                                                                                                                                                                                          • Opcode ID: e2ec63d9f0b769fd54acab07b201004e04e0b8a324b39f2899845f5a338468e0
                                                                                                                                                                                                                                          • Instruction ID: 5c051ad160e02944caaecca9b9e67d162bd215256fe77f7bb60a216328a3d2c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2ec63d9f0b769fd54acab07b201004e04e0b8a324b39f2899845f5a338468e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C31C231F1EE4B5FEB99BA2C941957973D1EF98784B0041BAD009C719AEF29EC068284
                                                                                                                                                                                                                                          Function 00007FF84862BCD1 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: qH
                                                                                                                                                                                                                                          • API String ID: 0-1760232885
                                                                                                                                                                                                                                          • Opcode ID: 4b85b25460fabc1f6ed628b2a660396d2afc5129399fbe6ef3199b96d3367ac6
                                                                                                                                                                                                                                          • Instruction ID: 2c3e34bff267eee30c8a9c31166342dd4e0c3d18a2b27afe7baf4cea969959b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b85b25460fabc1f6ed628b2a660396d2afc5129399fbe6ef3199b96d3367ac6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57414E21E1C91ADFEB80FB98D85A6ECB3A2FF58350F5042B5D109D7286DF2868028B55
                                                                                                                                                                                                                                          Function 00007FF848635A3B Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: {q
                                                                                                                                                                                                                                          • API String ID: 0-267941131
                                                                                                                                                                                                                                          • Opcode ID: cc6d8bcc99c41ccd45d497ef74a1fa7e6251acda292700dc6f137f9e1528dfef
                                                                                                                                                                                                                                          • Instruction ID: 7e6ea1d42a53b437ee563a3dae9326530daec680bd6de508efe598ba68ee21ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc6d8bcc99c41ccd45d497ef74a1fa7e6251acda292700dc6f137f9e1528dfef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9312431A0D68A5FE395FA78589E1B97BE2EF453A0B5800FFD08AC7193DE1C5C468345
                                                                                                                                                                                                                                          Function 00007FF848622E38 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: wQH
                                                                                                                                                                                                                                          • API String ID: 0-191867712
                                                                                                                                                                                                                                          • Opcode ID: 1ecc4dc08b91f27cc621109cc49142a963b57e61167e88de033e2e67e267b54e
                                                                                                                                                                                                                                          • Instruction ID: 0de2a6fdbd775bedc608e394586d51609016726a624bf73cc63e9f5f9b80bf05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ecc4dc08b91f27cc621109cc49142a963b57e61167e88de033e2e67e267b54e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0031C572D0D6C95FE796BF289C591E9BBA0FF11240F0805F6D448CA2D7EA289945C346
                                                                                                                                                                                                                                          Function 00007FF848645B60 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: GQ_H
                                                                                                                                                                                                                                          • API String ID: 0-266171174
                                                                                                                                                                                                                                          • Opcode ID: c42b8e1c506c99d1d2cc73a3c2558393b3783618d0884d49f3e9188bade7e357
                                                                                                                                                                                                                                          • Instruction ID: e622e9255a53e88055b9b02d6b04ce0b1c90fa5162b1484886d2b70701a9948b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c42b8e1c506c99d1d2cc73a3c2558393b3783618d0884d49f3e9188bade7e357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F31E920A1D7854FD796BB34446D5657BE2EF16640F0940FBD049CB1E3DF186C0AC319
                                                                                                                                                                                                                                          Function 00007FF8487A1F0D Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2817913386.00007FF8487A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8487A0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff8487a0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: nyH
                                                                                                                                                                                                                                          • API String ID: 0-4025281601
                                                                                                                                                                                                                                          • Opcode ID: 9c27cadff8cd73c8bfc7581a17a7faf0e26fb6d512c6c79b8fb7e3584c3cc101
                                                                                                                                                                                                                                          • Instruction ID: faa1ea878004120708ab8712f58a1f067f89ea451284b390558b738bfc67eeff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c27cadff8cd73c8bfc7581a17a7faf0e26fb6d512c6c79b8fb7e3584c3cc101
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8021EF3180E7CA8FE752DB2898651A97FF0FF42390F4402EAC099C7092C7685959C759
                                                                                                                                                                                                                                          Function 00007FF8487A01CA Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2817913386.00007FF8487A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8487A0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff8487a0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: xOmH
                                                                                                                                                                                                                                          • API String ID: 0-1549615578
                                                                                                                                                                                                                                          • Opcode ID: 8dec6e9da06d274dc59a3ca199421911f6e62f4a29a72e8ada1a4e291a4bf0d0
                                                                                                                                                                                                                                          • Instruction ID: 54bb0665e95e3b37abaeaac130f0a13d600fd6c97c9944c06d2af6821f6265d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dec6e9da06d274dc59a3ca199421911f6e62f4a29a72e8ada1a4e291a4bf0d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D21813184D7CACFD796EB2888695A97FF0FF56250F0904EAC448C70E3DB285886C745
                                                                                                                                                                                                                                          Function 00007FF848831A1C Relevance: 1.0, Instructions: 964COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f2ee5937d6e293919793e74a1deeb53a442e93d5e89a8b978ddeb3bb7e364ba8
                                                                                                                                                                                                                                          • Instruction ID: 3bd3dfdc821d55fcd2c72094e5c72b3726b7549dfaa57bca871a6e064a6505f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2ee5937d6e293919793e74a1deeb53a442e93d5e89a8b978ddeb3bb7e364ba8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0362C530B0DA4A9FEB98EB288455A79B7E1FF98744F6441BED00DC7192DF29AC42C744
                                                                                                                                                                                                                                          Function 00007FF84883AD76 Relevance: .9, Instructions: 917COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea4f9c0ee911dca2e340429c1b6a9ecec5c9440fe6d6544cc2b516c94d496889
                                                                                                                                                                                                                                          • Instruction ID: f241736111450c731b7a221bdcb1142c4228304a6831e5cae94495b976e6edde
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea4f9c0ee911dca2e340429c1b6a9ecec5c9440fe6d6544cc2b516c94d496889
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF62C271E1CA4A9FDB99EB28C455AA973E1FF98350F5401BAC00AC7196DF29FC46CB40
                                                                                                                                                                                                                                          Function 00007FF8488359D0 Relevance: .7, Instructions: 678COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ae88551818b55167695be83aa93106aa30171277712e7184f7094df3139e1d87
                                                                                                                                                                                                                                          • Instruction ID: 397c53779e0f68fd7105ff1576d23b1c104bf548d2389c97786e7cc9643ddd94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae88551818b55167695be83aa93106aa30171277712e7184f7094df3139e1d87
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D229E30B1DA4A9FEB99FB2C806567D77E1EF58380F6404BAD44EC7296DF29E8058701
                                                                                                                                                                                                                                          Function 00007FF848627BF3 Relevance: .5, Instructions: 484COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d7770ce8cabca4f23fa93ac07f1a1c9816faf7c1b5d17631ff2ca5ed27fab17
                                                                                                                                                                                                                                          • Instruction ID: 0c9ddeb726368384f4a91c0ad599ae7a9ed5771e541504c5c85e62b631b2be19
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d7770ce8cabca4f23fa93ac07f1a1c9816faf7c1b5d17631ff2ca5ed27fab17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82E1F232D0D68A9FE795FF28A85A6F97BA0FF41351F0402BAD048DB193DF2868068755
                                                                                                                                                                                                                                          Function 00007FF84883C5F5 Relevance: .5, Instructions: 456COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc522ffa3171a8ddcf86b2387d496112629ed9cd96b359cc31ec64df06e8d94f
                                                                                                                                                                                                                                          • Instruction ID: cbbe464a474f354dd654f6fea41c4a7c41700f406746a5fd64ea3dcfec7daa92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc522ffa3171a8ddcf86b2387d496112629ed9cd96b359cc31ec64df06e8d94f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BEE11630A1CA4D8FDFD8EF18C494AA937E2FFAC744F14016AE40DD7295CB25E8518B85
                                                                                                                                                                                                                                          Function 00007FF848836A00 Relevance: .4, Instructions: 437COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 639c690d3c4d6c40e118ff936f8520d6e5868e5671214f0f8f5e45ccea9e29c7
                                                                                                                                                                                                                                          • Instruction ID: f921804c4690b7c76d0772a65b261c155bcac7800837fa1f2db7790c28480a79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 639c690d3c4d6c40e118ff936f8520d6e5868e5671214f0f8f5e45ccea9e29c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95C14821F1DD5B1FEBA9EA2C64551BA73D1FF98390B0441BBD40DC3287EE29AC428384
                                                                                                                                                                                                                                          Function 00007FF84862B900 Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d6c7100e7b96ee2a63afba0984b9cc8fa5e9f27b6a88a22ead25b68b741cfa6e
                                                                                                                                                                                                                                          • Instruction ID: 656d684a5f562a55b95430267c910a8f1375e46340e65345843f5aecc5a3ce2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6c7100e7b96ee2a63afba0984b9cc8fa5e9f27b6a88a22ead25b68b741cfa6e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90C15630A0DA494FD7D5FB2C94596B977E1EF46760F5402FAC08DCB29BDB28A846C344
                                                                                                                                                                                                                                          Function 00007FF84883040D Relevance: .4, Instructions: 350COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 365ffadc2baf505ecc2ab595012f9401cb7bc9137b9af753ef5a7c449acf119d
                                                                                                                                                                                                                                          • Instruction ID: 9d64df606eab6d394848593f8c6f3a804144f6a7e577bcb1c6d255d5aa1d8011
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 365ffadc2baf505ecc2ab595012f9401cb7bc9137b9af753ef5a7c449acf119d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9B12331A1DB899FD799FB6884456AABBE0FF59340F0401BED089C72A3DF68E845C741
                                                                                                                                                                                                                                          Function 00007FF848633C08 Relevance: .3, Instructions: 340COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a118a70e2532c238911de0a31bf39c47f4b3c1515fdaa19d3fe0586155e04511
                                                                                                                                                                                                                                          • Instruction ID: 9cf19a2accc0a929ba1a2e8cce265863e76f5ba98955b4978e248f561e9fcb2e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a118a70e2532c238911de0a31bf39c47f4b3c1515fdaa19d3fe0586155e04511
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86A1053061CA498FDB99EB2CC489A7573E2FF55350F1406BED08EC72A6DA25F846C784
                                                                                                                                                                                                                                          Function 00007FF84863C9D0 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd0d7d3f5cc100175331663fd1d17e7475b43f44a318e8ed071cc7da40ad9ea7
                                                                                                                                                                                                                                          • Instruction ID: 3f2145af38f8374930c8e57cd88235a703c1f5ac6f20f06adc023d04183da439
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd0d7d3f5cc100175331663fd1d17e7475b43f44a318e8ed071cc7da40ad9ea7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07A1EA31A0CA489FEB98EB1C984A6BD77E1FF99751F04017EE44AC3291DB25F841C789
                                                                                                                                                                                                                                          Function 00007FF848832CA9 Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2dd193c5f4b50a593d6c9caaa7a61815b80258654f8d1e14e8a57bfb5a5f8fa1
                                                                                                                                                                                                                                          • Instruction ID: e8ecc3bae05ed6ea6a0c248473ae875d2fa6dd0bc77a9d76ce2b120a7f3da420
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2dd193c5f4b50a593d6c9caaa7a61815b80258654f8d1e14e8a57bfb5a5f8fa1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC913431A0DA8A9FE785EB3894592B57BE1FF5A350F0401FAC049CB697DF1DAC428391
                                                                                                                                                                                                                                          Function 00007FF84862E970 Relevance: .3, Instructions: 311COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5f7ea00f103da175aa418e1f858d49ab59dbbeab079fa40da6aae7737ebb0495
                                                                                                                                                                                                                                          • Instruction ID: d4bc13b0f8f919ecd9301456dce89f1828b7f78caf3604616197689ec152956b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f7ea00f103da175aa418e1f858d49ab59dbbeab079fa40da6aae7737ebb0495
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A81F631B1CD1A0FE6E5FA1CA8997B927D1EF983A0F0501BAD40DC7296DE199C438385
                                                                                                                                                                                                                                          Function 00007FF848830480 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c44071c548b3a58fbce0b6dcffe5ff73f8868a69804b8bf24c68cb58a91dd9f4
                                                                                                                                                                                                                                          • Instruction ID: 47309476d415c81367a7de0aed3689d045496bb78765f2775ad0853ff007cfe5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c44071c548b3a58fbce0b6dcffe5ff73f8868a69804b8bf24c68cb58a91dd9f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9A1C331A1CB899FD799FB688445AAAB7E0FF58340F1005BED48AC7292DF78E845C741
                                                                                                                                                                                                                                          Function 00007FF848633C30 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 318960336045cdeb70b1d444505f02e2659c756c6b9398d16283dba92afd9189
                                                                                                                                                                                                                                          • Instruction ID: 7d0aa4d42483f303b47358fd31c0536bda894f78cc3b03178932773bbf3a8b51
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 318960336045cdeb70b1d444505f02e2659c756c6b9398d16283dba92afd9189
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7813430A1CB494FE798EF6884895B6B7E1EF65350F14067ED88AC3296DF38F8428745
                                                                                                                                                                                                                                          Function 00007FF84862EA40 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb0cf18b48a9e7aa49c07c17df1b35ae224c05928b9cf92888cf26cbb7d08a2e
                                                                                                                                                                                                                                          • Instruction ID: a3da7c71bc811b259b25ca2d5b31bdc1ab298f20f01da7ffb0bb52fe7c6400ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb0cf18b48a9e7aa49c07c17df1b35ae224c05928b9cf92888cf26cbb7d08a2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5971D431E1C95A5FEB88FA1C985A9B937D0FF54B40F0401BDE84EC7197EE14A8468B89
                                                                                                                                                                                                                                          Function 00007FF848831752 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9cbfd6fe0abcfb2f1d032af9f9ed3602eaef7a7969e293379300c203e224972b
                                                                                                                                                                                                                                          • Instruction ID: 0b2902aca7f516371c95a771851f92cbd750dbfed38471478618d627ac1f0d90
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cbfd6fe0abcfb2f1d032af9f9ed3602eaef7a7969e293379300c203e224972b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B71C531F1DA0A8FEBA8EA1C98556B573E1FF58740F1041BBD40EC3196DF29AC428B45
                                                                                                                                                                                                                                          Function 00007FF8486270FB Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 41b012f3d028ab79703408ec520078696848c725fd7144f1472d3fa6ea54299a
                                                                                                                                                                                                                                          • Instruction ID: 6aeca1d7867162a3537a1ac34997848802b64e9703260ce04f70d1914e268e57
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41b012f3d028ab79703408ec520078696848c725fd7144f1472d3fa6ea54299a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B61F322B0D9256FE395BB6CB84A6FD3790EF843B1F084177D14CC7196DF14684A82D5
                                                                                                                                                                                                                                          Function 00007FF848839988 Relevance: .2, Instructions: 236COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9b94b3719791ed2e62d4ebd9176cee785980d499b25f8e1f4235593035b49f6
                                                                                                                                                                                                                                          • Instruction ID: 8ec68ba149b8cf99f2f4d9e51f7fb83ba04c681a3326809fd10c2a992c38fa53
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9b94b3719791ed2e62d4ebd9176cee785980d499b25f8e1f4235593035b49f6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1711270D08A5C8FDB98DF58C885BE9BBB1FB69350F1081AAD04DE3251DB71A985CF81
                                                                                                                                                                                                                                          Function 00007FF84862EA05 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b50b2f985ba8cacea49ce87d5b47a1b918c4406b16ac3dd0ddc76f233818094a
                                                                                                                                                                                                                                          • Instruction ID: f7ba2c5eb6120f580c11e670100916453494f975f725c9b5fffb87f28cf99e7b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b50b2f985ba8cacea49ce87d5b47a1b918c4406b16ac3dd0ddc76f233818094a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E515C22F0D99A5FE7E4B62C641D2B93BD1EFA5AA0B1401BBD049C7197DF189C06834A
                                                                                                                                                                                                                                          Function 00007FF848624667 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5916eefaef04f2c1c98928be6af7c51bc381b57de5081ca2d292a06022c63408
                                                                                                                                                                                                                                          • Instruction ID: 523aa77fd36a16c081741801be2eb0f13d0fcc1ad744de8f9aa95cfea4b30609
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5916eefaef04f2c1c98928be6af7c51bc381b57de5081ca2d292a06022c63408
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61818570919A8E9FDB84EF68C849AEDBBF1FF59310F1402B9D409D72A6DB349846C740
                                                                                                                                                                                                                                          Function 00007FF848633C40 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 593d28c5b686453139bdb5fe8780446586a47cbafa0be3807189dcc221344d7f
                                                                                                                                                                                                                                          • Instruction ID: f6645450cb56cf326ef66fb4e5f8013cfabdf5a07e98ee52c7232dd8543ab6ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 593d28c5b686453139bdb5fe8780446586a47cbafa0be3807189dcc221344d7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7451C13161CA0A8FD799AB18D88CA7173E1FFA9350F14067ED44DC7296DB3AB8428785
                                                                                                                                                                                                                                          Function 00007FF84862C65D Relevance: .2, Instructions: 207COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 21d42a022804644954385ff6713f627fd7d762f53bba2b014270e6ccf54b1393
                                                                                                                                                                                                                                          • Instruction ID: 09fa69a8e298e51ae6fdf23e82e0569a07bb41e711109cdfa72b683e9bc10196
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21d42a022804644954385ff6713f627fd7d762f53bba2b014270e6ccf54b1393
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB51803071C8098FEAE8FB2C9459A7973D1EF59755B5000BAE48EC72A6DE18EC4287C5
                                                                                                                                                                                                                                          Function 00007FF84883F131 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4708c267d95a3b78450b5d20b0ace6f8a38f41592440f5540581be5bc0ee5b72
                                                                                                                                                                                                                                          • Instruction ID: dc2d6891f41b00ea41b0c770130d76f604e40b1b39f10a30c801f5a361789429
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4708c267d95a3b78450b5d20b0ace6f8a38f41592440f5540581be5bc0ee5b72
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E613F70A1CA4E8FDF95EF18D495AA93BE1FF6C740F44006AE44DD7292CA35E841CB85
                                                                                                                                                                                                                                          Function 00007FF8486354A6 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5646448f3e477313fbc4507d9a611cac66475b7324aaaf688ea76df27dae43ac
                                                                                                                                                                                                                                          • Instruction ID: 855cc24b87d85a24c258090fbdaf720acdeabbf9c758e63f7e1f16447725607a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5646448f3e477313fbc4507d9a611cac66475b7324aaaf688ea76df27dae43ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26410632B0CE0A4FEBD9A61CA8596B577D2FB95370B4401BBD44EC3296EE19EC434344
                                                                                                                                                                                                                                          Function 00007FF848834BE0 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71535231eef581f07a1a3bef577903558f8204864972dcb00e2d6ad9d3a25439
                                                                                                                                                                                                                                          • Instruction ID: b591d5bb2da2f13c7b75958841413238fe31b0e6d79b7dbde430d47e7d02346a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71535231eef581f07a1a3bef577903558f8204864972dcb00e2d6ad9d3a25439
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67511731A0DA061FE754BA5C64521B677E1EFA9364F08417FD089C3297EF29B8478389
                                                                                                                                                                                                                                          Function 00007FF848632AB5 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 54a23288fae73d10b9d61484578ad7021ca625baba0e8d58fdd18c6f7342505a
                                                                                                                                                                                                                                          • Instruction ID: 2f2516d38084970f0bcfaeef38b26e9f01ff0ea9331410e3cd895b9083b91423
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54a23288fae73d10b9d61484578ad7021ca625baba0e8d58fdd18c6f7342505a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3514C63E0E5526FE2917B7C78560F93B80DF413BAF0C41B7D18CCA197EE09244682D9
                                                                                                                                                                                                                                          Function 00007FF848630230 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 451b8539e3d37cd506c3dd62b440dd3891dbcd3932c3e639034c25c415e70943
                                                                                                                                                                                                                                          • Instruction ID: 5c33a462e9e046cffb433b3459b2e943984990a4f5de39c33be194c985be581a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 451b8539e3d37cd506c3dd62b440dd3891dbcd3932c3e639034c25c415e70943
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49513A30A1CA4E8FDBD8EF1894496BA37E1FBA8351F10056AE40ED3395CF35A8468785
                                                                                                                                                                                                                                          Function 00007FF848839F9A Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ca8f026b3112b3fec84a6830f402d25940e85abaf1509d92c4a7758500e3eea1
                                                                                                                                                                                                                                          • Instruction ID: dfc09caed04611f039f12ab4df9949842b66d476107b07d2ce07248ab9fdf5d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca8f026b3112b3fec84a6830f402d25940e85abaf1509d92c4a7758500e3eea1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB513320A1CA568FE799A73884656B577E1EF49340F0484FBD48ACB2D6DF1E68868344
                                                                                                                                                                                                                                          Function 00007FF848831D16 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8703f463c3dd680b4cda749d2d5143fb7136bf0785d57ae9a55cf04427df8faa
                                                                                                                                                                                                                                          • Instruction ID: 4b560d9189fdc7fca80d721031bd777548017aaad55ce6e8c7750af70532fc8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8703f463c3dd680b4cda749d2d5143fb7136bf0785d57ae9a55cf04427df8faa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF51F570B0E6059FE355EB74C84A979B7A2FF89344B6041FDD04A8B192CF3EA842C740
                                                                                                                                                                                                                                          Function 00007FF848831D22 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8703f463c3dd680b4cda749d2d5143fb7136bf0785d57ae9a55cf04427df8faa
                                                                                                                                                                                                                                          • Instruction ID: 4b560d9189fdc7fca80d721031bd777548017aaad55ce6e8c7750af70532fc8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8703f463c3dd680b4cda749d2d5143fb7136bf0785d57ae9a55cf04427df8faa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF51F570B0E6059FE355EB74C84A979B7A2FF89344B6041FDD04A8B192CF3EA842C740
                                                                                                                                                                                                                                          Function 00007FF848830FF4 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8d8b00868f6b075abf246c38184062223783f1edfb3389adcdf2eb22fe4c0411
                                                                                                                                                                                                                                          • Instruction ID: 6e7613df575bb697100a284d3f3cbea68ed514b67ae9e1494f53259399ab7050
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d8b00868f6b075abf246c38184062223783f1edfb3389adcdf2eb22fe4c0411
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F541D134B1CE4A4FEB64EA1C941957A77E2FB9CB50F14027BE449C3255DE25FC028785
                                                                                                                                                                                                                                          Function 00007FF848630218 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b1c44844c7438aecc5c79924be3c0e8d7a17cffff46b500d3bab0dea89dffa3a
                                                                                                                                                                                                                                          • Instruction ID: 9b5388a3845d8aa7304237cab736538854c27e3db8240e8429bfa722a756cfa0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1c44844c7438aecc5c79924be3c0e8d7a17cffff46b500d3bab0dea89dffa3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74516D71A1CA4E8FDBD4EF2894496BA37E1FF98391F00057BE44AD3285CF25A8468785
                                                                                                                                                                                                                                          Function 00007FF848630210 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b54244be9b7dd172fe1e3ef4e07861f9f635b0a5a278ef6f835c333ea169f6bf
                                                                                                                                                                                                                                          • Instruction ID: 7d5ddd6a07f437bbe8b5cb2fc72bb25bda249f7f0747309e558152698a1a01c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b54244be9b7dd172fe1e3ef4e07861f9f635b0a5a278ef6f835c333ea169f6bf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D418E31A0CA4E8FDBD4EF2894495BA37E1FF58391F00417BE44ED3285CF24A8468785
                                                                                                                                                                                                                                          Function 00007FF848626451 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 95c054c15c552ddf703639cf359790d72fabafad44d7b353d0a2c40591eb7c08
                                                                                                                                                                                                                                          • Instruction ID: 562e626532efb6c9a3ce3c2a21dfc629d0e6d4e0a17bfae28555c64803927a85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95c054c15c552ddf703639cf359790d72fabafad44d7b353d0a2c40591eb7c08
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D351E530D0D65A8FDB99EB68C4997BDBBB1FF59344F5440ADC00EA7292CB386985CB04
                                                                                                                                                                                                                                          Function 00007FF84862F5C4 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 93c44a51f39a75366ae72da4d26e1b0fda05b26ab499cf986675eefab25c5c4a
                                                                                                                                                                                                                                          • Instruction ID: dd9c923f8e462cb354ade4d63a1f2d03c07464b60d95356ae458fa56dfe1f655
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93c44a51f39a75366ae72da4d26e1b0fda05b26ab499cf986675eefab25c5c4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D513071E1895E9FE7A5EB18D89D7A8B3E1FB58780F0001F9D40DD3296DE346D828B44
                                                                                                                                                                                                                                          Function 00007FF848634131 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cee7b8499568f46ca5422c3238c5b71b6bf28cd1cedea4c5e687243c600633a2
                                                                                                                                                                                                                                          • Instruction ID: 9c2e7aa4efb89d5999ac2b8e38690e5a64741ba8496e40d05b312290e1442c1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cee7b8499568f46ca5422c3238c5b71b6bf28cd1cedea4c5e687243c600633a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53515E71D1895D9FE7A9EA6CD8593B8B7B1FF68341F0001BAD40DE3292DE3858428B54
                                                                                                                                                                                                                                          Function 00007FF84862E150 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 777b0c053e25abc2bad8e8b30ddb337979103410feeb8bdc80f7615d7f7dd460
                                                                                                                                                                                                                                          • Instruction ID: 7687b04a01703a8099a1aef53d0e0ba5e37ce043a531bd4320fe02d86f0742f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 777b0c053e25abc2bad8e8b30ddb337979103410feeb8bdc80f7615d7f7dd460
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9141E531E1C90A9FE399FB3C845A27977E2EF95790F4441BAC04AC7197DE2868028741
                                                                                                                                                                                                                                          Function 00007FF8486395CC Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 76e5c48cce01cf791a254447af7b504c7f4d0cb9eb41c97deecf7cbc4b5c324a
                                                                                                                                                                                                                                          • Instruction ID: 5666b1fff7ea9655f4387f67fb94032d53e43d2b386e85dfafadc5be88ed2530
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76e5c48cce01cf791a254447af7b504c7f4d0cb9eb41c97deecf7cbc4b5c324a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB51F5A2A0E5C54FE393AA3C589D6E57BE1EF57250F0805FEC089CB1E7DA24A807C745
                                                                                                                                                                                                                                          Function 00007FF848644350 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 095b92cdfba4bff12e007b55805b7088076a1149124138f82ad7348bf2b80bad
                                                                                                                                                                                                                                          • Instruction ID: bdad5d4a25e95cf04febfa765af65c4d42b05c8fb4f481559d6aef2381ceea3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 095b92cdfba4bff12e007b55805b7088076a1149124138f82ad7348bf2b80bad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80412730A1DE464FE799EA38945A6B973D1FF50744F04417DD88EC3296EF29F8428388
                                                                                                                                                                                                                                          Function 00007FF848632CD0 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f94ee8578fa78ff5fc7a7529e58896337788edbd2071eea406b344953c1dfc21
                                                                                                                                                                                                                                          • Instruction ID: 22a83b0be332dee246eb2a75ed782c1ad7a4de42173e03fc6d308d613352ed03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f94ee8578fa78ff5fc7a7529e58896337788edbd2071eea406b344953c1dfc21
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A312662E2CD5A4FE3D4BA2CA81D3BA73D0EB94791F04027BD44DC7295EF589843438A
                                                                                                                                                                                                                                          Function 00007FF848834C10 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4456fb478b1b2627166f07c1ca2424a0d79fbba231ef0e8d7ef2565d98422a3e
                                                                                                                                                                                                                                          • Instruction ID: 9524e8ba96d140df9cdcb329cf71dcdad8f3df24ad215dca9744d0140e1fe0c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4456fb478b1b2627166f07c1ca2424a0d79fbba231ef0e8d7ef2565d98422a3e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED413531A0DA461FE754AA5C54522B637E1EFA9360F0841BFD489C3293DE39BC428385
                                                                                                                                                                                                                                          Function 00007FF84883FC59 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3935639c25df3536566b763f0b451a24e905b080abc7b98d277f4e3809239c42
                                                                                                                                                                                                                                          • Instruction ID: 68e6f8a5c54173d891b0d56c72bb560b6b64a7703e1bbe86211c3f88bd9c89f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3935639c25df3536566b763f0b451a24e905b080abc7b98d277f4e3809239c42
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5941C131B0CE4A9FD798EB2C94A86B077E1FF5C314B1801AAD44DC72A6DE25AC42C780
                                                                                                                                                                                                                                          Function 00007FF8486235C7 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9d7f5756c113ef41a8fe05db88a2dda9cf25edde2eb154d422659591a8d68b99
                                                                                                                                                                                                                                          • Instruction ID: 9984b855d493fd3379d2111c0cb552f572c3427a8043de8b07a3bfae5865eed3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d7f5756c113ef41a8fe05db88a2dda9cf25edde2eb154d422659591a8d68b99
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E41C67190E64A5FD795EB7C84596A9BBF1EF47260F4002FEC049CB2A2DB281C46C711
                                                                                                                                                                                                                                          Function 00007FF84862BA60 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc189a211de5d31f1279a090550a7316832baa0c981f6fe676f60398c0d556f1
                                                                                                                                                                                                                                          • Instruction ID: e0c023a48e090d364116d760298479bc3ad0e914e51548c7a9eb534e364add79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc189a211de5d31f1279a090550a7316832baa0c981f6fe676f60398c0d556f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21411671C0D6CAAFE785BB78541A6E97BA0FF113A1F0805FAC0499B0D3EF2C244A8745
                                                                                                                                                                                                                                          Function 00007FF848635148 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71d1698ce49c5d77c5deb45e3fecdf802e786205d10fc470b319420bd716c09f
                                                                                                                                                                                                                                          • Instruction ID: e3ac5eab3294e1d136d49d76c65a862dc7e874fe48f71eac34487c70982826f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71d1698ce49c5d77c5deb45e3fecdf802e786205d10fc470b319420bd716c09f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C417F30A1DA458FDF95EB2CC099E7677E2FF59340B1445AAD04AC76A6CA28F845CB40
                                                                                                                                                                                                                                          Function 00007FF848837AD9 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e6b63437c30f6bc67acf3a526e072e48a53f65dbbb4833668c46a8f7a5e3a76a
                                                                                                                                                                                                                                          • Instruction ID: a8bb13feb594fd5230842d3abe817ff6168c054757a93670387ea60f31871091
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6b63437c30f6bc67acf3a526e072e48a53f65dbbb4833668c46a8f7a5e3a76a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7241F33050E68AAFD795FB288855A727BF0EF55300F0804FAC049CB197DB2AEC45C751
                                                                                                                                                                                                                                          Function 00007FF848834122 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 042cfd5bb16a5c5f5e908463471aee69f576dd8dc7b077ab3f29324e47f25bb1
                                                                                                                                                                                                                                          • Instruction ID: ce6f64cd1686bcde92fdf2fbfdd695b7d9aebf27881ae4a3c8c9151a6cda1086
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 042cfd5bb16a5c5f5e908463471aee69f576dd8dc7b077ab3f29324e47f25bb1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72410531F0CA8B9FE755EA7C98495B97BE0FF69750F0401BAC049C7296DF29AC468740
                                                                                                                                                                                                                                          Function 00007FF84862852F Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 93ab98aab1e8de6898e918a214dcb2e8be8d3d2a4c4c860cbd6abe38e9613af5
                                                                                                                                                                                                                                          • Instruction ID: 39971c7a448b78ec94ab9dfc7effcf91e844313d3cf7eacdf94849f8aeb16915
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93ab98aab1e8de6898e918a214dcb2e8be8d3d2a4c4c860cbd6abe38e9613af5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9417F70C0DA4D9FDB95EBA8C8496ADBBF0EF19360F5401B9D049E7192DB385842CB15
                                                                                                                                                                                                                                          Function 00007FF84883CCA5 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9aed5f315b5cfd3e368afa579b941e8c395005dd836ad7c135db1850620e7cb0
                                                                                                                                                                                                                                          • Instruction ID: 76e8cafcbad6cc772da9882f5f84581c1bd2213fff19b218320ca993613592fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9aed5f315b5cfd3e368afa579b941e8c395005dd836ad7c135db1850620e7cb0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA31A33070CB584FD7A4AA1C985577A7BD2EF99750F0402AFE449C7297CF25AC4183CA
                                                                                                                                                                                                                                          Function 00007FF8488369E9 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 603d05bc2697ed065c422600500db58cf4ef99265197752a42d4a2eb70a0356d
                                                                                                                                                                                                                                          • Instruction ID: 9319af01f4f8f9fdaba0414da0b6cfe1015476cb043c18e4d89bd9c5d402b819
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 603d05bc2697ed065c422600500db58cf4ef99265197752a42d4a2eb70a0356d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9531C721F1DE5F5FE7E9EA1C241923627D1EF9C651B0541BFD80CC3296EE29AC028385
                                                                                                                                                                                                                                          Function 00007FF84883BBB6 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1ae8ac971c39aafea63458d609025d9e9f364ed73d26e0ac812eb0825293d330
                                                                                                                                                                                                                                          • Instruction ID: 4cff8201424116ec1e3441205ad7332db449a896ed4401c27ccd0e3e72f23793
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ae8ac971c39aafea63458d609025d9e9f364ed73d26e0ac812eb0825293d330
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14314171E1C94A9FDB99EE18D4529A973E1FFA8740B50417AD00AC7286DF25F8438B84
                                                                                                                                                                                                                                          Function 00007FF84862B94D Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 95d6d31b244cde020f0d7c9b4f4490cf5f80777ddad82bd8f04802d0fc340f90
                                                                                                                                                                                                                                          • Instruction ID: dc96e252b1142502a9561569861cfb86692dcc0757c4ecce360e9e42c1b2a143
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95d6d31b244cde020f0d7c9b4f4490cf5f80777ddad82bd8f04802d0fc340f90
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E312921A0C9452FD79AF76C90966FA7BD1EF54394B1840BAD0CEC72A3DF18B446C384
                                                                                                                                                                                                                                          Function 00007FF848632942 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c5ded1db3a54244571906db944d46e257e2506ea0a78bbcbbf91138b40ed020
                                                                                                                                                                                                                                          • Instruction ID: 14848e4b9ddb2ed6432a2903fceb5609d91768a65afbacbc951dd0d7c32f0d12
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c5ded1db3a54244571906db944d46e257e2506ea0a78bbcbbf91138b40ed020
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA31F231A0D7CA4FD3969B38A8595A13FF0EF42220B1941EBD049CB1D7DA1E9847C346
                                                                                                                                                                                                                                          Function 00007FF848630268 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2d697d3bc8b95d11bb3c98dea018f1a4f7245138fdb22048e498f5651ce04b98
                                                                                                                                                                                                                                          • Instruction ID: 6b6c88b8d863f50eb8d5a091f0fbeaae2fb6a45363e153d8be3d046d8f0d8d7b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d697d3bc8b95d11bb3c98dea018f1a4f7245138fdb22048e498f5651ce04b98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB31B831A1CA4A4FF7D0E928A448676B7D1EFA83A5F04057FD44CD32A1CB58E9C5C38A
                                                                                                                                                                                                                                          Function 00007FF84862BB05 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 72840217480fbfaa8cf85deab328ef23295396345f2dd314094aa0a3284fe294
                                                                                                                                                                                                                                          • Instruction ID: 49b0197a53e7ca797260adc2cfa9e3b07ec5d930defdc43682e9a681820f2c8b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72840217480fbfaa8cf85deab328ef23295396345f2dd314094aa0a3284fe294
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A841E471D0D68AAFE385BB78882A6E97BE1FF11391F0406FEC04997097EF6C14458B45
                                                                                                                                                                                                                                          Function 00007FF84883E51F Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 60a0758f8b3bac0fba030b57ffa232c6ae35ed1091805f1e2d1dd1cb1b01a2e4
                                                                                                                                                                                                                                          • Instruction ID: d822fca0ea9f8afcca84a31bfba760a8440f7059909784aaf29ec3493ecf1e34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60a0758f8b3bac0fba030b57ffa232c6ae35ed1091805f1e2d1dd1cb1b01a2e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B41AD31B1CA459FDB94EB28D444BAAB3E1FF58340F1449BAD08EC7292DE29B845C741
                                                                                                                                                                                                                                          Function 00007FF848629D55 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d02e1f5e8497ee460a35364b141af31b67d70e7e51070452e983cc634019f4df
                                                                                                                                                                                                                                          • Instruction ID: 5f777524d11592ee736e81d14ab468562ec6fa8119bf889523931bad285c0136
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d02e1f5e8497ee460a35364b141af31b67d70e7e51070452e983cc634019f4df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4331A73194E7C64FCB939BB898690EABFF19F9717475801EAC4808B163EA9D4C43C712
                                                                                                                                                                                                                                          Function 00007FF848623B3E Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 277e7d7dc99085ed86b01a5060f1bfd2ad26bcade3429686e0577c764750965f
                                                                                                                                                                                                                                          • Instruction ID: a193069a8729d95fcc1ad050658de96dd7ec7981a153501ca742c57a7672b387
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 277e7d7dc99085ed86b01a5060f1bfd2ad26bcade3429686e0577c764750965f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1531D070C0E68D9FD782EF6888595EA7FF0EF6A320F0402EAD088D71A2D72C4549C751
                                                                                                                                                                                                                                          Function 00007FF84862748A Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7d18b92f5e03917bbd320948ef269bf7da7273a8112257b446e0e19d36c1cdd4
                                                                                                                                                                                                                                          • Instruction ID: 03d87a21facaa1e00ddfdb8886f6f5c10d508174f2ffefd2e72d8e1cdbac5c5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d18b92f5e03917bbd320948ef269bf7da7273a8112257b446e0e19d36c1cdd4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13315830D09A0D8FCB98EF58D8856EDB7B1FB5A350F4012BAD40DE7241DB35A9858B44
                                                                                                                                                                                                                                          Function 00007FF848636D78 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4da3ff3173df8b7ddfde36ab25917da29b669e76efe7fe2bd6c60ac23b41973e
                                                                                                                                                                                                                                          • Instruction ID: eb202a2dfdfea709028eaaf2cf94e8e17b7836e7962eb767cd5f9cdb34e0a752
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4da3ff3173df8b7ddfde36ab25917da29b669e76efe7fe2bd6c60ac23b41973e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9621E26190EAC64FE796A73C98291A43FE1EF17694B1D04FBC088CB1A7DA199C0D8311
                                                                                                                                                                                                                                          Function 00007FF848639A48 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cdecee78a848f65d6ee628072f1b0459ae7d5112b952026ab9c17739d537550d
                                                                                                                                                                                                                                          • Instruction ID: 8a2300af4ce07ed4eebd3bb1760b4f37685a718ead80d6c17fc1b3f974437bf2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdecee78a848f65d6ee628072f1b0459ae7d5112b952026ab9c17739d537550d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9821063050D1469FDB95FF28D0894A67B90DF52360F2882FAD04D8F197DB28AC86C7C8
                                                                                                                                                                                                                                          Function 00007FF848635DDD Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 460a7afab9e831a31c72045570d5381ec30cbd1a2382c7907c27c40f2fb8bdb4
                                                                                                                                                                                                                                          • Instruction ID: 35cac6d60a2bb51629288594bdf7dee3401c93a7deeb6bb9a718c19ce230456a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 460a7afab9e831a31c72045570d5381ec30cbd1a2382c7907c27c40f2fb8bdb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6115732F1CE4A0FEBD9E22CB05E2B927D2DB996A5B1402BBC44DC3286DE158C434349
                                                                                                                                                                                                                                          Function 00007FF8488321FA Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c8e11be4fd3587feec566ba8f60788aaec1681d4cbb6ff66e626507d78d90643
                                                                                                                                                                                                                                          • Instruction ID: f7870f748f98b0573aeafa2e996e494815acc30891fee6789ad9e4a02efbb466
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8e11be4fd3587feec566ba8f60788aaec1681d4cbb6ff66e626507d78d90643
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50213A71E0DA4A4FDBA5FA2C68069B9B7D0EF58391F5041BBD00DD7192CF29AC4282C5
                                                                                                                                                                                                                                          Function 00007FF84883DDE8 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 65ce17851341d2f868faa8347cbba493a5608d97136641e1411bc09128506875
                                                                                                                                                                                                                                          • Instruction ID: ef50a559511fcb64bc2a59c5ce52ab6f082e456e7d19b005026f605709031fd2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65ce17851341d2f868faa8347cbba493a5608d97136641e1411bc09128506875
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA21B032E0DA980FDB91EB6C98592EC7FF1EF6D251F0901B7D40CD7192DE1958068391
                                                                                                                                                                                                                                          Function 00007FF848638423 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2aeb978c333ca9404132b358510e26ab4caec19ae67b1b1ec4a3ccd18537dacb
                                                                                                                                                                                                                                          • Instruction ID: 5fc66f9c9c1e6c89a248854efb02a39996e5896c064f3b9d309364c0c671d9f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2aeb978c333ca9404132b358510e26ab4caec19ae67b1b1ec4a3ccd18537dacb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9411C472B0DA4D4FE2E8EE1CB8566B433D1EB99760B1405EBC04DC7752DA11AC464786
                                                                                                                                                                                                                                          Function 00007FF84862425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a71fe2ef471805fbdd586f100363f5beeb6d6ac94b77199b408237897e74afbf
                                                                                                                                                                                                                                          • Instruction ID: 753f4386d85848adbdd2e2229745f36c60e209e4b2845f5e26addb146143202b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a71fe2ef471805fbdd586f100363f5beeb6d6ac94b77199b408237897e74afbf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF21CD3188E3C54FD3136B7068165E5BF789F03391F1A01E7D488DB4A3C62E6A9AC366
                                                                                                                                                                                                                                          Function 00007FF84862EAEB Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dba0641a18c660f97f9742c279819f6e2cebb5bccde2d74a8fef117efd0c7534
                                                                                                                                                                                                                                          • Instruction ID: 812ba9f51f19da2968161a089d6923971c12ebef2a37b7b2ee3407a6e7a70994
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dba0641a18c660f97f9742c279819f6e2cebb5bccde2d74a8fef117efd0c7534
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3216D71D1CA8D8FEBDAFA2898592A977B1FF55341F0401FAC00DD3193DE3819458B45
                                                                                                                                                                                                                                          Function 00007FF848625220 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d3f8ca54e7636a0ccd0e4939bef3cb2073c8bcf3f9e5e214e1a6db23f3cfb0a
                                                                                                                                                                                                                                          • Instruction ID: edfaace270589dfe124957041a8d270dab0b453b3f24d2b07f5f0d4553018e59
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d3f8ca54e7636a0ccd0e4939bef3cb2073c8bcf3f9e5e214e1a6db23f3cfb0a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E219D70909A5D9FDB84EFA8C8596EEBBF1FF59310F1005AED009E3291DB745841CB90
                                                                                                                                                                                                                                          Function 00007FF848620C58 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 27a8b500ae97ec426d8b195743fba4b4ab6a7f4394b34050e05bfe98649d7a7a
                                                                                                                                                                                                                                          • Instruction ID: 9a0bae48ad269bc9afafb86f3a03baf1390d11eff8425dd8553d46fee9c6cdb0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27a8b500ae97ec426d8b195743fba4b4ab6a7f4394b34050e05bfe98649d7a7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 592178B290E69AAFE715BB3498062E93BD0EF42361F0501FAD108DB5E3DF7C5804C642
                                                                                                                                                                                                                                          Function 00007FF848635E30 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c40b4dc60b90aed7ee9fe1ba189da305df259d50bf4ad6d9f6953d1f90d19f05
                                                                                                                                                                                                                                          • Instruction ID: b1c1e4af3b75ccd7d17a7294e10db75beaaa1c96390cc893e387836e797784b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c40b4dc60b90aed7ee9fe1ba189da305df259d50bf4ad6d9f6953d1f90d19f05
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E111A532B1CD0A0FABD8E11CB05D675A3D2EBD82A5B14057BD40DC3299EE19DC434344
                                                                                                                                                                                                                                          Function 00007FF848837B00 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e71d720027f986bc8052da29a6fe1dd686173085bd226b26c9af2b48cdceb0d7
                                                                                                                                                                                                                                          • Instruction ID: f57a38adc984462f758ae4a89a94e6122c50e9c4caf76dffc9aa9afbcec136f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e71d720027f986bc8052da29a6fe1dd686173085bd226b26c9af2b48cdceb0d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2121C53050A6096FD7A4FB688889A7677F1EF49354F5405F9D009CB196D72AEC41C790
                                                                                                                                                                                                                                          Function 00007FF84862E938 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 70dab91528b77976ba76e5c2ea12b26fc76fd59aaf630b591160c62918819264
                                                                                                                                                                                                                                          • Instruction ID: cb11731f10a1beab74edfa67eedf1b5a8d64abeedb89220946913a250e261182
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70dab91528b77976ba76e5c2ea12b26fc76fd59aaf630b591160c62918819264
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE212B2190E9C65FE795F73C98095B93FE1EF56690B5804FEC044CB1AADA199C09C341
                                                                                                                                                                                                                                          Function 00007FF848636100 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1bab509828d908f1a463ff8ea6a59bef8ddf7743b2e76822239bf99e645a7446
                                                                                                                                                                                                                                          • Instruction ID: 3ebbe63ce9ae3353392138dc710d4f3b37f88e6b204a7a309ff9e8a34920a78f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bab509828d908f1a463ff8ea6a59bef8ddf7743b2e76822239bf99e645a7446
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80112632F0EC4E8FE6E9A5AD3C9D1752AC1EB99651B1501FBE80CC32A7DD558C418385
                                                                                                                                                                                                                                          Function 00007FF84883ECC2 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b1a91341fc842c1508977f54fa3e2d82e1ce644754d9ec37850877a3cd3195d6
                                                                                                                                                                                                                                          • Instruction ID: 932b6445e9c4b68b39cf738a5116a402ed076c5afcb232a47a98bfbb05f9241d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1a91341fc842c1508977f54fa3e2d82e1ce644754d9ec37850877a3cd3195d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E21CF3171CE459FEBA4EB2CD445BAAB3D1EF98340F04497ED08EC3282CE69B8458742
                                                                                                                                                                                                                                          Function 00007FF84867EDB0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 546f7cc5b376882e77aa3bb75a056194ed98a45e49eb536b6b816a0fe00e170c
                                                                                                                                                                                                                                          • Instruction ID: 69a982bb2ffd888ec5f63efeef0713e46f116c35da4257d3527c74280711626c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 546f7cc5b376882e77aa3bb75a056194ed98a45e49eb536b6b816a0fe00e170c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63117031B088194FD6E4FB6C949CA7A72D5FF88740F5005B9E04EC72A2DF24AC8587C9
                                                                                                                                                                                                                                          Function 00007FF84862BE2C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1dff020c743b330867a1ab1b9b4339e98540d5f703726ddb25dec7e72268c4c7
                                                                                                                                                                                                                                          • Instruction ID: c17f1fd0a9c4b7f6dee8c182b0259d6d78a7175b2a4de1ac4474fe2f21e55f60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dff020c743b330867a1ab1b9b4339e98540d5f703726ddb25dec7e72268c4c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7611E922E0CD8A9FE3D9FA28649D3F463D5FB687C0F0801BAC04DC7692DE2868464390
                                                                                                                                                                                                                                          Function 00007FF84883222D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e7f6e20066e1852ff7cdf5d6f478fb53bf8b3c57f0b501386d70a9eebe546a87
                                                                                                                                                                                                                                          • Instruction ID: ee2e0937c1218b4362df2a659a85a7abf28b1efc01c3c0867049ffe8e4cef21c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7f6e20066e1852ff7cdf5d6f478fb53bf8b3c57f0b501386d70a9eebe546a87
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B112632B0DA198FEB61B55C7C065FDB7D0EF59362F50027BD54A93142CB2AAC4282CA
                                                                                                                                                                                                                                          Function 00007FF848840655 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4c6a51eb19de5fabe345742d0aea13e4bfdc0399ff9ed7d9eccc8a75f8a398d1
                                                                                                                                                                                                                                          • Instruction ID: cc4c74e2fac9396672a91c90200d606557f4c332e3b1253cf5a2542c45083976
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c6a51eb19de5fabe345742d0aea13e4bfdc0399ff9ed7d9eccc8a75f8a398d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2601F73160CE1D8FDBA4F61DC494E7577D1EB6834174504DAD08BCB2A2DA68FCC18780
                                                                                                                                                                                                                                          Function 00007FF84862D965 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 992fd6ddd0b6f615aa69cb99f60c28babfb1699fa346e6101d6f7d2800d9f15c
                                                                                                                                                                                                                                          • Instruction ID: a9d1a3dcf88ec4785869b31246c962cb93fb15dac3b6e61315d440fb024b50ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 992fd6ddd0b6f615aa69cb99f60c28babfb1699fa346e6101d6f7d2800d9f15c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF118F7180E7C54FD347AB3888589507FF0AF27211B0941EFE088CB1E3C62D984AC716
                                                                                                                                                                                                                                          Function 00007FF84862EACB Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc5a98f4bed4560d03770d315f8bda999755d3c0c46d8b1e4265f76e6b8a36c9
                                                                                                                                                                                                                                          • Instruction ID: 0c4516220025cbd458e3feae3b30ad74759c537bcf5d0ed7c25e70bed20a202f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc5a98f4bed4560d03770d315f8bda999755d3c0c46d8b1e4265f76e6b8a36c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E111FB1D1895E8FE7D9FA2898592BCB7A1FF54342F1001FAD40DD2192DE3419868B45
                                                                                                                                                                                                                                          Function 00007FF848625C19 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e306edb30c3641709247810c05b8b0eeb74d8490eb9964eca1adf93508764bbc
                                                                                                                                                                                                                                          • Instruction ID: 42512e3883beedcccdf43f6dce338a6510310567e80808f46f54b6f2203db8ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e306edb30c3641709247810c05b8b0eeb74d8490eb9964eca1adf93508764bbc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC11937090E7899FD756EBB4885929DBFF0EF16350B6804EDC480DB1A2CB6D4C45CB00
                                                                                                                                                                                                                                          Function 00007FF8488378D7 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f7b98d9ff3773f4b9a110fb639c0ea7a065a60cee4840ae5f88267a038349c4
                                                                                                                                                                                                                                          • Instruction ID: 2a913d7397cb7bb4b6be1e6cbcfde42dc1f14fc78602dd61a1133c9d2ffe2bde
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f7b98d9ff3773f4b9a110fb639c0ea7a065a60cee4840ae5f88267a038349c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7001A763F1EA5E0EE668761C38061F5B3C1DB496A4F4442B7C80E8358BEE1FAC034189
                                                                                                                                                                                                                                          Function 00007FF84862A670 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b4474f34067b472de28853426b52111888a4a0bf2e43d17c2d8956cf649d39c6
                                                                                                                                                                                                                                          • Instruction ID: 810aff6d6314d24c8ba97ebf7186de3ebc78ae8c34fcc57d351f5be6cd860369
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4474f34067b472de28853426b52111888a4a0bf2e43d17c2d8956cf649d39c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A018131B0C80E0FE6D4FA6DA84977677D6EB98361F4102BAE90CC3256EE69D8418385
                                                                                                                                                                                                                                          Function 00007FF848624DD6 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d0f19f357d12c600e8ccede7bfadc9a8d9899e564ecd1c6df2dfdc4269f34273
                                                                                                                                                                                                                                          • Instruction ID: b87e1a2d4e5c9e42e8cb3dc028a1bd6a8ebac1a5a78ceaf359d6cc73fb6b4223
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0f19f357d12c600e8ccede7bfadc9a8d9899e564ecd1c6df2dfdc4269f34273
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37115A71E0A90D9FEB94EB28D895BA8B7B1FF44340F5041F9C44DE3295CE396C868B00
                                                                                                                                                                                                                                          Function 00007FF8486379C1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 40fac74194aabddc000f7afd1b45c0b86bf096951578e12b6d2fd053b2e72c04
                                                                                                                                                                                                                                          • Instruction ID: bf3c11c3ba0970ab5b48ed5410ebf42c6f76598f2d997c3354538909e326f4c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40fac74194aabddc000f7afd1b45c0b86bf096951578e12b6d2fd053b2e72c04
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06F0E92270D9880FE394A52CAC5D9723FD4DB6A17271502FFE848C71B3EA029C038359
                                                                                                                                                                                                                                          Function 00007FF848833AC4 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7ea16947d2ad589adf7672108ab1205776b84d61a7ecb4ae3c3998877f2715a7
                                                                                                                                                                                                                                          • Instruction ID: 76b62c2277050d4227dd4c7eec7e78ac7f31bae22c2100abb7ff35828eae3ce1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ea16947d2ad589adf7672108ab1205776b84d61a7ecb4ae3c3998877f2715a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE016D31B1C91E5FEB98E72CA855BB973D6FB98790F1440B6C00DD3296DE25AC468780
                                                                                                                                                                                                                                          Function 00007FF84862BD9C Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e0498d766f37486104f7a306e7059d2997ce19a26301906ba94d6ce407e1de27
                                                                                                                                                                                                                                          • Instruction ID: 1d39644d63dd9c680619061a97bd6be9457fda361b380fe0b72b11419421020f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0498d766f37486104f7a306e7059d2997ce19a26301906ba94d6ce407e1de27
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08018421D0C64A9FEB90FBACD4196AC77E1FF99210F1002BAC049D7192DF1C6846CB01
                                                                                                                                                                                                                                          Function 00007FF848632D68 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: df7d9d07bfe7b26066651a42196a3ad0ab448c8b6c27c2f517b24d6da826a660
                                                                                                                                                                                                                                          • Instruction ID: b71fb276b9b496cb8b157bd42132aeafc276c857ac19ed6a7d8a05b3507cff76
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df7d9d07bfe7b26066651a42196a3ad0ab448c8b6c27c2f517b24d6da826a660
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8901923090CB084FD795FB28904966ABBE2EF94354F14097FD889D7360DB38A4458745
                                                                                                                                                                                                                                          Function 00007FF84883B3DC Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a8e652ec9187ade273cdaa041bb2f4e05f40b3b6cee30be21788f14bb5e8f1a9
                                                                                                                                                                                                                                          • Instruction ID: 1b94480f08859d81248ff91322e7c0847d4cce82688dbcff9c2b72f36cc9c972
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8e652ec9187ade273cdaa041bb2f4e05f40b3b6cee30be21788f14bb5e8f1a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5F0C871E5EA968FD356A7384C351653AE1AF96654F5800FFC48ACB2E2CB2E4C02CB05
                                                                                                                                                                                                                                          Function 00007FF8486332E5 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 46d924a360f245553c80a5242dd4cf2785b6ee149b4d0452454609a989267650
                                                                                                                                                                                                                                          • Instruction ID: ca21dedc254e14fa8bfa703e1c0d32b7b20ac789d5d190487b3563fd8b460d14
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46d924a360f245553c80a5242dd4cf2785b6ee149b4d0452454609a989267650
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89F0A731F1CD591FDAE8B62C50597BA23D2EF95340F44047AD44EC3286DE58A8429395
                                                                                                                                                                                                                                          Function 00007FF848623E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4ee18d651bf524e9315d0d0e905028abd84698224d02dfa7700377f638548000
                                                                                                                                                                                                                                          • Instruction ID: 3372b3dda14e1b9fdb9a0a5747875c37ad4828a9edc2e48f51425995bfab3dd8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ee18d651bf524e9315d0d0e905028abd84698224d02dfa7700377f638548000
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AEF08C30C0860C8FD750BE69A0083F9F7B4EB4A345F40107AD00CA2190C37A9599CB19
                                                                                                                                                                                                                                          Function 00007FF848628CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ae511001a7b4695621b590a3f09b131e6f9b8672c73cc0b0808a48946e0a262a
                                                                                                                                                                                                                                          • Instruction ID: 7c1e1b954e92fa35b1cb84d60b21b27e5423a09eb359c1cb23401d4422ae8f92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae511001a7b4695621b590a3f09b131e6f9b8672c73cc0b0808a48946e0a262a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9F0A030C4960D8FCB54FE54A8043FCB2B4FB0A305F402279D00CB2581C7799A98CB19
                                                                                                                                                                                                                                          Function 00007FF848835638 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 74b721dddfe2e7fdf678aa188e82364207d2ce561890520e390a36584b3cc00a
                                                                                                                                                                                                                                          • Instruction ID: 887b96fafe7f63c40da8f2c3bf214494aeb0ad6a64ffa98431b42e2ec277cf66
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74b721dddfe2e7fdf678aa188e82364207d2ce561890520e390a36584b3cc00a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53F0B432F0D7554FFB459A58B4C12E87790EF81364F54007BC249C3193DB2B641E8745
                                                                                                                                                                                                                                          Function 00007FF848625DC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 950f9135c8d7cadad69c1621b1b7b764eae03cffc3d28255e7e4b1f77ba9b020
                                                                                                                                                                                                                                          • Instruction ID: 8c40eb0a49cff2236b0a11bd77910268c4b29920ffd98e98e4ccfa142cfa0528
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 950f9135c8d7cadad69c1621b1b7b764eae03cffc3d28255e7e4b1f77ba9b020
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8013C709197899FCB51EFB8C856699BBF0EF15710F5400E9D489D7252CB386886CB41
                                                                                                                                                                                                                                          Function 00007FF848840A49 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dfaddcead11595e4f28656460f6e873377550f47938f655f4870be29ee005594
                                                                                                                                                                                                                                          • Instruction ID: c30bba499e2afce3aa7befc67f6134dc3c74bf8b97289a0a7ce174b7d2ceebe2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfaddcead11595e4f28656460f6e873377550f47938f655f4870be29ee005594
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85E04F53F0D84E4EE5D8E45D38501696782E7D85A07556276C08EC338ADC5AAC8B0744
                                                                                                                                                                                                                                          Function 00007FF848838EB4 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2820280968.00007FF848830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848830000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848830000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 835d66cc6d8a75cbd3cc24b6990b17abd4fdc8546596611edc60f80c28172c60
                                                                                                                                                                                                                                          • Instruction ID: 83fc367bcf0d08226b871005423a86f2850606c3ff139a3d176151505843e188
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 835d66cc6d8a75cbd3cc24b6990b17abd4fdc8546596611edc60f80c28172c60
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AF03032E0990D8FEB65EA68E4556FDBBB1FF49351F101176D108E3591CB756842C740
                                                                                                                                                                                                                                          Function 00007FF84862BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1e0362c801258ffe606458cfbfbb953ee8f80a4c2d9069d879ce69203df25262
                                                                                                                                                                                                                                          • Instruction ID: 27b1ef6c5e2d02fd707ba397b4c89ae20efac84154c9e90ad235050c09721533
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e0362c801258ffe606458cfbfbb953ee8f80a4c2d9069d879ce69203df25262
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEF05474E1851AEFE784FB58D895ABC73B2FF88B50F404074D04893282DF2C68018714
                                                                                                                                                                                                                                          Function 00007FF848629D15 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d05a0902976cf8d2af5ef49a8a926680bb4553b1ba7bb3fcc6c2aed6b487d920
                                                                                                                                                                                                                                          • Instruction ID: 45235dc29b94784a8c6c15a2bad8b7f88efb12a19c9bf3e1838425bda3483304
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d05a0902976cf8d2af5ef49a8a926680bb4553b1ba7bb3fcc6c2aed6b487d920
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEE0D812E0DEA90FE2A6FA3D386A060BAD19F81510B085AFEC40482687DD556C418249
                                                                                                                                                                                                                                          Function 00007FF848623B03 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97b85673034e66c0addf618012bc137ebd90d5fe172f1251b6bc305e79640b72
                                                                                                                                                                                                                                          • Instruction ID: ab3f9c0b21f8c23d6d901cce174a2e5460bbd9e93a16b9f5d736686e468154b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97b85673034e66c0addf618012bc137ebd90d5fe172f1251b6bc305e79640b72
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FE06D7080D6899FCB42FBB8805A8EDBFF09F16220B5800EAC444E7253CA2C5881CB52
                                                                                                                                                                                                                                          Function 00007FF84862BCA3 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc5c2bbe3b2b586768e40bda442ae0fc98fd5f6f079df64e76c48895c68ece10
                                                                                                                                                                                                                                          • Instruction ID: 909764da03322b4f6b4829e4556018d01de52ad51e669b40c754b07b4e4bdaf2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc5c2bbe3b2b586768e40bda442ae0fc98fd5f6f079df64e76c48895c68ece10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBD05E55E09A49EBEB80EB58C406BACB7E2EB18724F1401E4914D976C2CF5C68018301
                                                                                                                                                                                                                                          Function 00007FF848625D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 83d90cff2cc5b6be71c6955ba41be0a9ea3ad9a1e888a343ef0e200021d524bd
                                                                                                                                                                                                                                          • Instruction ID: 2490b03ce2dd45cb0fb1e386884ca3eb1d357bbbb13ecd65cafb9140df87facb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83d90cff2cc5b6be71c6955ba41be0a9ea3ad9a1e888a343ef0e200021d524bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3C092B2D1CD1D8FFBD4FA5C988C2ECABF2FBA8654F404625C408E3244DF2458028B84
                                                                                                                                                                                                                                          Function 00007FF8486281AE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.2806224200.00007FF848620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848620000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ff848620000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ca7bd926c23fd13eda9625e64d3455e690b55594f44ab9d8b835f53cd0f20b38
                                                                                                                                                                                                                                          • Instruction ID: f4337a53e85bc5dc37b51c080e770121acec6e32540dbb7cd72ef5fc009228a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca7bd926c23fd13eda9625e64d3455e690b55594f44ab9d8b835f53cd0f20b38
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FC08C3054521D8FC7828A78042824436E06B11110B5400AB8048C7590C7380C8A8700